hybrid security analysis of web JavaScript code via dynamic partial evaluation
|
|
|
- Howard Higgins
- 6 years ago
- Views:
Transcription
1 hybrid security analysis of web JavaScript code via dynamic partial evaluation Omer Tripp Pietro Ferrara Marco Pistoia! IBM Research, NY 1 Work published at the ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA 2014) Recipient of the ACM SIGSOFT Distinguished Paper Award
2 web client-side code* 38% 30% 23% 15% 8% 25% 30% 0% 5% 9 years ago 4 years ago today 2 * data due to IBM application security research team
3 client-side vulnerabilities* DOM-based XSS var pos = document.location.href.indexof("name="); document.write(document.url.substring(pos, document.url.length)); open redirect var pos = document.location.href.indexof("target="); var val = document.location.href.substring(pos); document.location.href = " + val; >15% vulnerable to these attacks! 3 * data due to IBM application security research team
4 reflected XSS web app! script reflected into HTML response without proper encoding attacker s evil script executed using victim s credentials link embedded with evil script attacker! victim! 4!
5 DOM-based XSS ibm.com! NO reflection into HTML response evil script NOT sent to server name=<script> </script> attacker! victim! 5
6 client-side vulnerabilities* DOM-based XSS var pos = document.location.href.indexof("name="); document.write(document.url.substring(pos, document.url.length)); open redirect var pos = document.location.href.indexof("target="); var val = document.location.href.substring(pos); document.location.href = " + val; >15% vulnerable to these attacks! 6 * data due to IBM application security research team
7 open redirect ibm.com! attacker.com! 7 attacker! victim!
8 client-side vulnerabilities* DOM-based XSS var pos = document.location.href.indexof("name="); document.write(document.url.substring(pos, document.url.length)); open redirect var pos = document.location.href.indexof("target="); var val = document.location.href.substring(pos); document.location.href = " + val; >15% vulnerable to these attacks! 8 * data due to IBM application security research team
9 9! JavaScript complexities
10 JavaScript complexities eval and its relatives! eval("document.write('evil')"); 10!
11 JavaScript complexities reflective property access! var a = "foo" + "bar"; var b = obj[a]; 11!
12 JavaScript complexities arguments array! bar() { if (arguments.length > 3) foo(arguments[2]); } bar(1, x, 3) 12!
13 JavaScript complexities prototype-chain property lookup! function F() { this.f = document.location; } function G() { } G.prototype = new F(); var g = new G(); write(g.bar); 13!
14 JavaScript complexities function pointers! var m = function() { } var k = function(f) { f(); } k(m); 14!
15 JavaScript complexities lexical scoping! function foo() { var y = 42; var bar = function() { write(y); } } 15!
16 JavaScript complexities! 16!
17 motivating example var search_term = login.html ; var str = document.url; // source var url_check = str.indexof(search_term); if (url_check > -1) { var result = str.substring(0, url_check); result = result + login.jsp + str.substring(url_check + search_term.length), str.length); document.url = result; // sink } (real-world JavaScript code from the Alcatel-Lucent website)! 17
18 motivating example var search_term = login.html ; var str = document.url; // source var url_check = str.indexof(search_term); if (url_check > -1) { var result = str.substring(0, url_check); result = result + login.jsp + str.substring(url_check + search_term.length), str.length); document.url = result; // sink } (real-world JavaScript code from the Alcatel-Lucent website)! 18
19 taint analysis var search_term = login.html ; var str = document.url; // source var url_check = str.indexof(search_term); if (url_check > -1) { var result = str.substring(0, url_check); result = result + login.jsp + str.substring(url_check + search_term.length), str.length); document.url = result; // sink } (real-world JavaScript code from the Alcatel-Lucent website)! 19
20 taint analysis var search_term = login.html ; var str = document.url; // source var url_check = str.indexof(search_term); if (url_check > -1) { var result = str.substring(0, url_check); result = result + login.jsp + str.substring(url_check + search_term.length), str.length); document.url = result; // sink } (real-world JavaScript code from the Alcatel-Lucent website)! 20
21 taint analysis var search_term = login.html ; var str = document.url; // source var url_check = str.indexof(search_term); if (url_check > -1) { var result = str.substring(0, url_check); result = result + login.jsp + str.substring(url_check + search_term.length), str.length); document.url = result; // sink } (real-world JavaScript code from the Alcatel-Lucent website)! 21
22 taint analysis var search_term = login.html ; var str = document.url; // source var url_check = str.indexof(search_term); if (url_check > -1) { var result = str.substring(0, url_check); result = result + login.jsp + str.substring(url_check + search_term.length), str.length); document.url = result; // sink } (real-world JavaScript code from the Alcatel-Lucent website)! 22
23 taint analysis var search_term = login.html ; var str = document.url; // source var url_check = str.indexof(search_term); if (url_check > -1) { var result = str.substring(0, url_check); result = result + login.jsp + str.substring(url_check + search_term.length), str.length); document.url = result; // sink } (real-world JavaScript code from the Alcatel-Lucent website)! 23
24 taint analysis var search_term = login.html ; var str = document.url; // source var url_check = str.indexof(search_term); if (url_check > -1) { var result = str.substring(0, url_check); result = result + login.jsp + str.substring(url_check + search_term.length), str.length); document.url = result; // sink } BOOM?! (real-world JavaScript code from the Alcatel-Lucent website)! 24
25 dynamic partial evaluation var search_term = login.html ; var str = document.url; // source var url_check = str.indexof(search_term); if (url_check > -1) { var result = str.substring(0, url_check); result = result + login.jsp + str.substring(url_check + search_term.length), str.length); document.url = result; // sink } (real-world JavaScript code from the Alcatel-Lucent website)! 25
26 dynamic partial evaluation var search_term = login.html ; var str = document.location; ; var url_check = str.indexof(search_term); if (url_check > -1) { var result = ; str.substring(0, url_check); result= ; result + login.jsp + str.substring(url_check + search_term.length),str.length); document.url = result; } (real-world JavaScript code from the Alcatel-Lucent website)! 26
27 dynamic partial evaluation var search_term = login.html ; var str = ; var url_check = str.indexof(search_term); if (url_check > -1) { var result = ; result= ; document.url = result; } (real-world JavaScript code from the Alcatel-Lucent website)! 27
28 our hybrid approach Dynamic Oracle! Crawls Web site! Collects dynamic information! Links references to the DOM with partially concretized values! GET var search_term = login.html ; var str = document.url; // source var url_check = str.indexof(search_term); var search_term = login.html ; var str = document.url; // source var url_check = str.indexof(search_term); var search_term = login.html ; var str = ; var url_check = str.indexof(search_term); Traditional Static Taint Analysis! Looks for flows from sources to sinks! Static String Analysis! Determines which parts of a string are beyond user control! Leverages string information for better classification of findings! 28
29 our hybrid approach Dynamic Oracle! Crawls Web site! Collects dynamic information! Links references to the DOM with partially concretized values! GET var search_term = login.html ; var str = document.url; // source var url_check = str.indexof(search_term); var search_term = login.html ; var str = document.url; // source var url_check = str.indexof(search_term); accuracy! var search_term = login.html ; var str = ; var url_check = str.indexof(search_term); Traditional Static Taint Analysis! Looks for flows from sources to sinks! Static String Analysis! Determines which parts of a string are beyond user control! Leverages string information for better classification of findings! 29
30 our hybrid approach Dynamic Oracle! Crawls Web site! Collects dynamic information! Links references to the DOM with partially concretized values! GET var search_term = login.html ; var str = document.url; // source var url_check = str.indexof(search_term); var search_term = login.html ; var str = document.url; // source var url_check = str.indexof(search_term); coverage! var search_term = login.html ; var str = ; var url_check = str.indexof(search_term); Traditional Static Taint Analysis! Looks for flows from sources to sinks! Static String Analysis! Determines which parts of a string are beyond user control! Leverages string information for better classification of findings! 30
31 our hybrid approach Dynamic Oracle! Crawls Web site! Collects dynamic information! Links references to the DOM with partially concretized values! GET var search_term = login.html ; var str = document.url; // source var url_check = str.indexof(search_term); var search_term = login.html ; var str = document.url; // source var url_check = str.indexof(search_term); lightweight! var search_term = login.html ; var str = ; var url_check = str.indexof(search_term); Traditional Static Taint Analysis! Looks for flows from sources to sinks! Static String Analysis! Determines which parts of a string are beyond user control! Leverages string information for better classification of findings! 31
32 static analysis: JSA intuition document.location system-controlled prefix attacker-controlled suffix 32
33 static analysis: JSA domain var str = document.location; var lstr = str.tolowercase(); var n = lstr.indexof( login.html ); if (n > -1) { var tmp = str.substring(0,n); document.location.href = tmp; } 33
34 static analysis: JSA domain var str = ; var lstr = str.tolowercase(); var n = lstr.indexof( login.html ); if (n > -1) { var tmp = str.substring(0,n); document.location.href = tmp; } 34
35 static analysis: JSA domain Prx Idx var str = ; {str}, var lstr = str.tolowercase(); var n = lstr.indexof( login.html ); if (n > -1) { var tmp = str.substring(0,n); document.location.href = tmp; } 35
36 static analysis: JSA domain Prx Idx var str = ; {str}, var lstr = str.tolowercase(); var n = lstr.indexof( login.html ); if (n > -1) { var tmp = str.substring(0,n); {str}, {lstr}, document.location.href = tmp; } 36
37 static analysis: JSA domain Prx Idx var str = ; {str}, var lstr = str.tolowercase(); var n = lstr.indexof( login.html ); if (n > -1) { var tmp = str.substring(0,n); {str}, {lstr}, } document.location.href = tmp; {str}, {lstr}, {n: 13} 37
38 static analysis: JSA domain Prx Idx var str = ; {str}, var lstr = str.tolowercase(); var n = lstr.indexof( login.html ); if (n > -1) { var tmp = str.substring(0,n); {str}, {lstr}, } document.location.href = tmp; {str}, {lstr}, {n: 13} {str}, {lstr}, {tmp}, {n: 13} 38
39 static analysis: JSA domain Prx Idx var str = ; {str}, var lstr = str.tolowercase(); var n = lstr.indexof( login.html ); if (n > -1) { var tmp = str.substring(0,n); {str}, {lstr}, } document.location.href = tmp; {str}, {lstr}, {n: 13} {str}, {lstr}, {tmp}, {n: 13} 39
40 static analysis: JSA transformers Prx Idx var str = ; {str}, var lstr = str.tolowercase(); var n = lstr.indexof( login.html ); if (n > -1) { var tmp = str.substring(0,n); {str}, {lstr}, document.location.href = tmp; } 40
41 static analysis: JSA transformers Prx Idx var str = ; {str}, var lstr = str.tolowercase(); var n = lstr.indexof( login.html ); if (n > -1) { var tmp = str.substring(0,n); {str}, {lstr}, } document.location.href = tmp; {str}, {lstr}, {n: 13} 41
42 static analysis: JSA transformers Prx Idx var str = ; {str}, var lstr = str.tolowercase(); var n = lstr.indexof( login.html ); if (n > -1) { var tmp = str.substring(0,n); {str}, {lstr}, } document.location.href = tmp; {str}, {lstr}, {n: 13} {str}, {lstr}, {tmp}, {n: 13} 42
43 note on implementation JSA written atop the WALA framework IFDS problem / distributive analysis optimization: staged analysis 1st stage: taint analysis 2nd stage: JSA applied to source/sink pairs not eliminated by taint analysis featured in IBM Security AppScan Standard Edition (AppScan Std) V8.6 43
44 evaluation benchmarks 170,000 webpages / 675 websites: Fortune 500 top 100 ( handpicked security and IT websites up to 500 pages per site via nonintrusive crawling no login only link crawling 44
45 evaluation benchmarks var pageurl = window.location; var cid = document.getelementbyid("ctl00_contentplaceholder1_hdncontentid").value; var url = "/CMS/OverviewPrint.aspx?id=" + cid + "&url=" + pageurl; openpopupwindow(url); (from the Corning website)! var url = window.location.href; var i = url.indexof("?"); if (i>0) {url=url.substring(0, i); i = url.indexof( /ntopic/");} if (i<0) { return; } url = url.substring(0, i+1); url = url+"livehelp/?pluginid="+a; window.location.href = url; (from the IBM Team Concert website)! 45
46 evaluation benchmarks var pageurl = window.location; var cid = document.getelementbyid("ctl00_contentplaceholder1_hdncontentid").value; var url = "/CMS/OverviewPrint.aspx?id=" + cid + "&url=" + pageurl; openpopupwindow(url); (from the Corning website)! Both cid and pageurl flow into the! target URL s query string, after the?! var url = window.location.href; var i = url.indexof("?"); if (i>0) {url=url.substring(0, i); i = url.indexof( /ntopic/");} if (i<0) { return; } url = url.substring(0, i+1); url = url+"livehelp/?pluginid="+a; window.location.href = url; (from the IBM Team Concert website)! 46
47 evaluation benchmarks var pageurl = window.location; var cid = document.getelementbyid("ctl00_contentplaceholder1_hdncontentid").value; var url = "/CMS/OverviewPrint.aspx?id=" + cid + "&url=" + pageurl; openpopupwindow(url); (from the Corning website)! Both cid and pageurl flow into the! target URL s query string, after the?! var url = window.location.href; var i = url.indexof("?"); if (i>0) {url=url.substring(0, i); i = url.indexof( /ntopic/");} if (i<0) { return; } url = url.substring(0, i+1); url = url+"livehelp/?pluginid="+a; window.location.href = url; 47 (from the IBM Team Concert website)! Computes a prefix of the URL string that! lies within the host path, and appends! constant string livehelp/?pluginid=
48 1st experiment: comparison with taint analysis compared against commercial taint analysis (used in AppScan Std V8.5) entire set of webpages manual classification of results by professional ethical hacker (from IBM application security team): TP/FP 48
49 1st experiment: results TPs FPs 90% reduction!! 4, , ,639 0 JSA taint analysis 49
50 evaluation FPs? function changezipredirect(zipcoderedirect) { var currurl = document.location.href;...; wcmcontext = currurl.split( WCM GLOBAL CONTEXT ); var redirectstr = wcmcontext[1];...; if (redirectstr.match( pmapmc= ) == null) { / redirect to the zipcode page / document.location.href = zipcoderedirect + &redirecturl + redirectstr; } } (from the Alltel website)! 50
51 evaluation FPs? function changezipredirect(zipcoderedirect) { var currurl = document.location.href;...; wcmcontext = currurl.split( WCM GLOBAL CONTEXT ); var redirectstr = wcmcontext[1];...; if (redirectstr.match( pmapmc= ) == null) { / redirect to the zipcode page / document.location.href = zipcoderedirect + &redirecturl + redirectstr; } } (from the Alltel website)! 51
![evaluation FPs? function changezipredirect(zipcoderedirect) { var currurl = document.location.href;...; wcmcontext = currurl.split( WCM GLOBAL CONTEXT ); var redirectstr = wcmcontext[1];.](/docs-images/76/73382159/images/52-4.jpg "..; if (redirectstr.match( pmapmc= ) == null) { / redirect to the zipcode page / document.location.href = zipcoderedirect + &redirecturl + redirectstr; } } (from the Alltel website)!")
52 evaluation FPs? function changezipredirect(zipcoderedirect) { var currurl = document.location.href;...; wcmcontext = currurl.split( WCM GLOBAL CONTEXT ); var redirectstr = wcmcontext[1];...; if (redirectstr.match( pmapmc= ) == null) { / redirect to the zipcode page / document.location.href = zipcoderedirect + &redirecturl + redirectstr; } } (from the Alltel website)! unresolved constant! 52
53 2nd experiment: comparison with black-box testing compared against commercial testing engine (that of AppScan Std V8.6) ~10% (60 / 675) of websites sampled at random website fragment retrieved by crawler deployed locally for intrusive testing 53
54 2nd experiment: results configuration! vulnerable websites! false positives! JSA enabled! 33! 4! JSA disabled! 8! 0! 54
55 conclusion JavaScript security: a BIG deal taint analysis: poor user experience (>60% FPs!) the key: dynamic partial evaluation high coverage precision boost with low overhead JSA: novel form of string analysis scalable (staged solution atop taint analysis) 90% reduction in FPs! 55
56 <script> alert( thank you! ) </script> 56
ISSTA : Software Testing and Analysis TAJ: Effective Taint Analysis of Web Applications, PLDI 2009
Slide 1 Hybrid Security Analysis of Web JavaScript Code via Dynamic Partial Evaluation Omer Tripp, Pietro Ferrara, Marco Pistoia IBM Watson Research Center ISSTA 2014 ISSTA : Software Testing and Analysis
security analysis with WALA Omer Tripp IBM TJ Watson
security analysis with WALA Omer Tripp IBM TJ Watson Workshop on WALA (WoW), 13 June 2015 collaborators Marco Pistoia Patrick Cousot Radhia Cousot Julian Dolby Manu Sridharan Pietro Ferrrara Steve Fink
Hybrid Security Analysis of Web JavaScript Code via Dynamic Partial Evaluation
Hybrid Security Analysis of Web JavaScript Code via Dynamic Partial Evaluation Omer Tripp IBM Watson Research Center Yorktown Heights, NY, USA otripp@us.ibm.com Pietro Ferrara IBM Watson Research Center
Riding out DOMsday: Toward Detecting and Preventing DOM Cross-Site Scripting. William Melicher Anupam Das Mahmood Sharif Lujo Bauer Limin Jia
Riding out DOMsday: Toward Detecting and Preventing DOM Cross-Site Scripting William Melicher Anupam Das Mahmood Sharif Lujo Bauer Limin Jia XSS vulnerabilities account for 25% of web vulnerabilities url.com/page#">attack
JavaScript: Features, Trends, and Static Analysis
JavaScript: Features, Trends, and Static Analysis Joonwon Choi ROPAS Show & Tell 01/25/2013 1 Contents What is JavaScript? Features Trends Static Analysis Conclusion & Future Works 2 What is JavaScript?
Andromeda: XSS Accurate and Scalable Security Analysis of Web Applications. OWASP* Top Ten Security Vulnerabilities. SQL Injection.
Andromeda: XSS Accurate and Scalable Security Analysis of Web Applications Attacker s evil script ... Omer Tripp Marco Pistoia Tel Aviv University & IBM IBM T. J. Watson Research Center
Finding Vulnerabilities in Web Applications
Finding Vulnerabilities in Web Applications Christopher Kruegel, Technical University Vienna Evolving Networks, Evolving Threats The past few years have witnessed a significant increase in the number of
Dynamic Detection of Inter- Application Communication Vulnerabilities in Android. Daniel Barton
Dynamic Detection of Inter- Application Communication Vulnerabilities in Android Daniel Barton Authors/Paper Metadata Roee Hay IBM Security Omer Tripp IBM T.J. Watson Research Center Marco Pistoia IBM
ROSAEC Survey Workshop SELab. Soohyun Baik
ROSAEC Survey Workshop SELab. Soohyun Baik Cross-Site Scripting Prevention with Dynamic Data Tainting and Static Analysis Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel,
IronWASP (Iron Web application Advanced Security testing Platform)
IronWASP (Iron Web application Advanced Security testing Platform) 1. Introduction: IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability
25 Million Flows Later Large-scale Detection of DOM-based XSS. CCS 2013, Berlin Sebastian Lekies, Ben Stock, Martin Johns
25 Million Flows Later Large-scale Detection of DOM-based XSS CCS 2013, Berlin Sebastian Lekies, Ben Stock, Martin Johns Agenda XSS & Attacker Scenario WebSec guys: wake up once you see a cat Motivation
CIS 4360 Secure Computer Systems XSS
CIS 4360 Secure Computer Systems XSS Professor Qiang Zeng Spring 2017 Some slides are adapted from the web pages by Kallin and Valbuena Previous Class Two important criteria to evaluate an Intrusion Detection
Web Application Security. Philippe Bogaerts
Web Application Security Philippe Bogaerts OWASP TOP 10 3 Aim of the OWASP Top 10 educate developers, designers, architects and organizations about the consequences of the most common web application security
Client Side Security And Testing Tools
OWASP Jakarta Tech Day Meetup 2017 Client Side Security And Testing Tools David Cervigni @ Minded Security Agenda Short Intro Client side threats: Why important/difficult Examples: Dom XSS, HTTP Param
CSCE 813 Internet Security Case Study II: XSS
CSCE 813 Internet Security Case Study II: XSS Professor Lisa Luo Fall 2017 Outline Cross-site Scripting (XSS) Attacks Prevention 2 What is XSS? Cross-site scripting (XSS) is a code injection attack that
Types of XSS attacks. Persistent XSS. Non-persistent XSS
Cross site scripting happens when somebody (an attacker) inserts a malicious input into a form (for example, a piece of HTML code). Depending on what happens after that, we divide XSS attacks into these
Attacks Against Websites. Tom Chothia Computer Security, Lecture 11
Attacks Against Websites Tom Chothia Computer Security, Lecture 11 A typical web set up TLS Server HTTP GET cookie Client HTML HTTP file HTML PHP process Display PHP SQL Typical Web Setup HTTP website:
ShiftLeft. OWASP SAST Benchmark
ShiftLeft OWASP SAST Benchmark Table of Contents Overview... 2 Towards a new generation of static analysis products... 2 Results on the OWASP benchmark... 3 Ingredient #1: Our data flow tracker... 4 Ingredient
Preventing Injection Vulnerabilities through Context-Sensitive String Evaluation (CSSE)
IBM Zurich Research Laboratory Preventing Injection Vulnerabilities through Context-Sensitive String Evaluation (CSSE) Tadeusz Pietraszek Chris Vanden Berghe RAID
Client Side Injection on Web Applications
Client Side Injection on Web Applications Author: Milad Khoshdel Blog: https://blog.regux.com Email: miladkhoshdel@gmail.com 1 P a g e Contents INTRODUCTION... 3 HTML Injection Vulnerability... 4 How to
JavaScript. Training Offer for JavaScript Introduction JavaScript. JavaScript Objects
JavaScript CAC Noida is an ISO 9001:2015 certified training center with professional experience that dates back to 2005. The vision is to provide professional education merging corporate culture globally
Chrome Extension Security Architecture
Chrome Extension Security Architecture Presenter: Jienan Liu Network, Intelligence & security Lab outline Chrome extension introduction Threats towards extension Chrome extension s security architecture
Application Security through a Hacker s Eyes James Walden Northern Kentucky University
Application Security through a Hacker s Eyes James Walden Northern Kentucky University waldenj@nku.edu Why Do Hackers Target Web Apps? Attack Surface A system s attack surface consists of all of the ways
Some Facts Web 2.0/Ajax Security
/publications/notes_and_slides Some Facts Web 2.0/Ajax Security Allen I. Holub Holub Associates allen@holub.com Hackers attack bugs. The more complex the system, the more bugs it will have. The entire
CNIT 129S: Securing Web Applications. Ch 12: Attacking Users: Cross-Site Scripting (XSS) Part 2
CNIT 129S: Securing Web Applications Ch 12: Attacking Users: Cross-Site Scripting (XSS) Part 2 Finding and Exploiting XSS Vunerabilities Basic Approach Inject this string into every parameter on every
Web Security: Vulnerabilities & Attacks
Computer Security Course. Song Dawn Web Security: Vulnerabilities & Attacks Cross-site Scripting What is Cross-site Scripting (XSS)? Vulnerability in web application that enables attackers to inject client-side
Web Application Penetration Testing
Web Application Penetration Testing COURSE BROCHURE & SYLLABUS Course Overview Web Application penetration Testing (WAPT) is the Security testing techniques for vulnerabilities or security holes in corporate
Don't Trust The Locals: Exploiting Persistent Client-Side Cross-Site Scripting in the Wild
Don't Trust The Locals: Exploiting Persistent Client-Side Cross-Site Scripting in the Wild Marius Steffens German OWASP Day 2018 joint work with Christian Rossow, Martin Johns and Ben Stock Dimensions
Web Security 2 https://www.xkcd.com/177/ http://xkcd.com/1323/ Encryption basics Plaintext message key secret Encryp)on Func)on Ciphertext Insecure network Decryp)on Func)on Curses! Foiled again! key Plaintext
Vulnerability & Attack Injection for Web Applications
Vulnerability & Attack Injection for Web Applications José Fonseca Marco Vieira Henrique Madeira DSN, Estoril, Portugal, 30/06/2009 University of Coimbra, Portugal Presentation Outline Research problem
RKN 2015 Application Layer Short Summary
RKN 2015 Application Layer Short Summary HTTP standard version now: 1.1 (former 1.0 HTTP /2.0 in draft form, already used HTTP Requests Headers and body counterpart: answer Safe methods (requests): GET,
Web Applications (Part 2) The Hackers New Target
Web Applications (Part 2) The Hackers New Target AppScan Source Edition Terence Chow Advisory Technical Consultant An IBM Rational IBM Software Proof of Technology Hacking 102: Integrating Web Application
Web Application Security
Web Application Security Rajendra Kachhwaha rajendra1983@gmail.com October 16, 2015 Lecture 16: 1/ 14 Outline Browser Security Principles: 1 Cross Site Scripting (XSS) 2 Types of XSS 3 Lecture 16: 2/ 14
Is Browsing Safe? Web Browser Security. Subverting the Browser. Browser Security Model. XSS / Script Injection. 1. XSS / Script Injection
Is Browsing Safe? Web Browser Security Charlie Reis Guest Lecture - CSE 490K - 5/24/2007 Send Spam Search Results Change Address? Install Malware Web Mail Movie Rentals 2 Browser Security Model Pages are
Web Application Threats and Remediation. Terry Labach, IST Security Team
Web Application Threats and Remediation Terry Labach, IST Security Team IST Security Team The problem While we use frewalls and other means to prevent attackers from access to our networks, we encourage
NET 311 INFORMATION SECURITY
NET 311 INFORMATION SECURITY Networks and Communication Department Lec12: Software Security / Vulnerabilities lecture contents: o Vulnerabilities in programs Buffer Overflow Cross-site Scripting (XSS)
Code-Injection Attacks in Browsers Supporting Policies. Elias Athanasopoulos, Vasilis Pappas, and Evangelos P. Markatos FORTH-ICS
Code-Injection Attacks in Browsers Supporting Policies Elias Athanasopoulos, Vasilis Pappas, and Evangelos P. Markatos FORTH-ICS What is all about? New code-injection attacks or return-to-libc attacks
Threat Landscape 2017
Pattern Recognition and Applications Lab WEB Security Giorgio Giacinto giacinto@diee.unica.it Computer Security 2018 Department of Electrical and Electronic Engineering University of Cagliari, Italy Threat
Static analysis of PHP applications
Static analysis of PHP applications Ondřej Šerý DISTRIBUTED SYSTEMS RESEARCH GROUP http://dsrg.mff.cuni.cz CHARLES UNIVERSITY PRAGUE Faculty of Mathematics and Physics References G. Wassermann, Z. Su:
Detecting XSS Based Web Application Vulnerabilities
Detecting XSS Based Web Application Vulnerabilities M.S.Jasmine M.Tech (ISCF).Student, Department of Information Technology SRM University, TamilNadu,India jasmine.srakj@gmail.com Kirthiga Devi Assistant
Lecture Overview. IN5290 Ethical Hacking
Lecture Overview IN5290 Ethical Hacking Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks Universitetet i Oslo Laszlo Erdödi How to use Burp
Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks
IN5290 Ethical Hacking Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks Universitetet i Oslo Laszlo Erdödi Lecture Overview How to use Burp
Secure Parameter Filter (SPF) (AKA Protecting Vulnerable Applications with IIS7) Justin Clarke, Andrew Carey Nairn
Secure Parameter Filter (SPF) (AKA Protecting Vulnerable Applications with IIS7) Justin Clarke, Andrew Carey Nairn Our Observations The same old code-level problems Input Validation, Parameter Manipulation,
You will discuss topics related to ethical hacking, information risks, and security techniques which hackers will seek to circumvent.
IDPS Effectiveness and Primary Takeaways You will discuss topics related to ethical hacking, information risks, and security techniques which hackers will seek to circumvent. IDPS Effectiveness and Primary
Web Security IV: Cross-Site Attacks
1 Web Security IV: Cross-Site Attacks Chengyu Song Slides modified from Dawn Song 2 Administrivia Lab3 New terminator: http://www.cs.ucr.edu/~csong/sec/17/l/new_terminator Bonus for solving the old one
Web Security. Thierry Sans
Web Security Thierry Sans 1991 Sir Tim Berners-Lee Web Portals 2014 Customer Resources Managemen Accounting and Billing E-Health E-Learning Collaboration Content Management Social Networks Publishing Web
AppSpider Enterprise. Getting Started Guide
AppSpider Enterprise Getting Started Guide Contents Contents 2 About AppSpider Enterprise 4 Getting Started (System Administrator) 5 Login 5 Client 6 Add Client 7 Cloud Engines 8 Scanner Groups 8 Account
JOE WIPING OUT CSRF
JOE ROZNER @JROZNER WIPING OUT CSRF IT S 2017 WHAT IS CSRF? 4 WHEN AN ATTACKER FORCES A VICTIM TO EXECUTE UNWANTED OR UNINTENTIONAL HTTP REQUESTS WHERE DOES CSRF COME FROM? LET S TALK HTTP SAFE VS. UNSAFE
CRAXweb: Web Testing and Attacks through QEMU in S2E. Shih-Kun Huang National Chiao Tung University Hsinchu, Taiwan
CRAXweb: Web Testing and Attacks through QEMU in S2E Shih-Kun Huang National Chiao Tung University Hsinchu, Taiwan skhuang@cs.nctu.edu.tw Motivation Symbolic Execution is effective to crash applications
Self-Learning Systems for Network Intrusion Detection
Self-Learning Systems for Network Intrusion Detection Konrad Rieck Computer Security Group University of Göttingen GEORG-AUGUST-UNIVERSITÄT GÖTTINGEN About Me» Junior Professor for Computer Security» Research
CNIT 129S: Securing Web Applications. Ch 10: Attacking Back-End Components
CNIT 129S: Securing Web Applications Ch 10: Attacking Back-End Components Injecting OS Commands Web server platforms often have APIs To access the filesystem, interface with other processes, and for network
INJECTING SECURITY INTO WEB APPS WITH RUNTIME PATCHING AND CONTEXT LEARNING
INJECTING SECURITY INTO WEB APPS WITH RUNTIME PATCHING AND CONTEXT LEARNING AJIN ABRAHAM SECURITY ENGINEER #WHOAMI Security Engineering @ Research on Runtime Application Self Defence Authored MobSF, Xenotix
Static Analysis of JavaScript. Ben Hardekopf
Static Analysis of JavaScript Insights and Challenges Ben Hardekopf Department of Computer Science University of California, Santa Barbara Setting Expectations What this talk is about Brief introduction
JOE WIPING OUT CSRF
JOE ROZNER @JROZNER WIPING OUT CSRF IT S 2017 WHAT IS CSRF? 4 WHEN AN ATTACKER FORCES A VICTIM TO EXECUTE UNWANTED OR UNINTENTIONAL HTTP REQUESTS WHERE DOES CSRF COME FROM? 6 SAFE VS. UNSAFE Safe GET HEAD
Vulnerability Management From B Movie to Blockbuster Rahim Jina
Vulnerability Management From B Movie to Blockbuster Rahim Jina 5 December 2018 Rahim Jina COO & Co-Founder Edgescan & BCC Risk Advisory @rahimjina rahim@edgescan.com HACKED Its (not) the $$$$ Information
FIRE-FOX XSS PREVENTION
Zhen Huang Nikolay Pavlovich Laptev Jason Liu FIRE-FOX XSS PREVENTION I. INTRODUCTION In recent years XSS attacks have become more widespread due to the growing popularity of AJAX and other dynamic web
Finding Vulnerabilities in Source Code
Finding Vulnerabilities in Source Code Jason Miller CSCE 813 Fall 2012 Outline Approaches to code review Signatures of common vulnerabilities Language-independent considerations Tools for code browsing
deseo: Combating Search-Result Poisoning Yu USF
deseo: Combating Search-Result Poisoning Yu Jin @MSCS USF Your Google is not SAFE! SEO Poisoning - A new way to spread malware! Why choose SE? 22.4% of Google searches in the top 100 results > 50% for
CS 155 Project 2. Overview & Part A
CS 155 Project 2 Overview & Part A Project 2 Web application security Composed of two parts Part A: Attack Part B: Defense Due date: Part A: May 5th (Thu) Part B: May 12th (Thu) Project 2 Ruby-on-Rails
Trusted Types - W3C TPAC
Trusted Types - W3C TPAC Krzysztof Kotowicz, Google koto@google.com https://github.com/wicg/trusted-types Slides: https://tinyurl.com/tttpac DOM XSS DOM XSS is a growing, prevalent problem source sink
Solution of Exercise Sheet 5
Foundations of Cybersecurity (Winter 16/17) Prof. Dr. Michael Backes CISPA / Saarland University saarland university computer science Solution of Exercise Sheet 5 1 SQL Injection Consider a website foo.com
ESORICS September Martin Johns
SessionSafe: Implementing XSS Immune SessionHandling Universität Hamburg ESORICS 06 20. September 2006 Martin Johns Fachbereich Informatik SVS Sicherheit in Verteilten Systemen Me, myself and I Martin
W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s
W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s Session I of III JD Nir, Security Analyst Why is this important? ISE Proprietary Agenda About ISE Web Applications
Web Security. Jace Baker, Nick Ramos, Hugo Espiritu, Andrew Le
Web Security Jace Baker, Nick Ramos, Hugo Espiritu, Andrew Le Topics Web Architecture Parameter Tampering Local File Inclusion SQL Injection XSS Web Architecture Web Request Structure Web Request Structure
Web Application & Web Server Vulnerabilities Assessment Pankaj Sharma
Web Application & Web Server Vulnerabilities Assessment Pankaj Sharma Indian Computer Emergency Response Team ( CERT - IN ) Department Of Information Technology 1 Agenda Introduction What are Web Applications?
Penetration Testing. James Walden Northern Kentucky University
Penetration Testing James Walden Northern Kentucky University Topics 1. What is Penetration Testing? 2. Rules of Engagement 3. Penetration Testing Process 4. Map the Application 5. Analyze the Application
CHAPTER 8 CONCLUSION AND FUTURE ENHANCEMENTS
180 CHAPTER 8 CONCLUSION AND FUTURE ENHANCEMENTS 8.1 SUMMARY This research has focused on developing a Web Applications Secure System from Code Injection Vulnerabilities through Web Services (WAPS-CIVS),
John Coggeshall Copyright 2006, Zend Technologies Inc.
PHP Security Basics John Coggeshall Copyright 2006, Zend Technologies Inc. Welcome! Welcome to PHP Security Basics Who am I: John Coggeshall Lead, North American Professional Services PHP 5 Core Contributor
Computer Security 3e. Dieter Gollmann. Chapter 18: 1
Computer Security 3e Dieter Gollmann www.wiley.com/college/gollmann Chapter 18: 1 Chapter 18: Web Security Chapter 18: 2 Web 1.0 browser HTTP request HTML + CSS data web server backend systems Chapter
PROCE55 Mobile: Web API App. Web API. https://www.rijksmuseum.nl/api/...
PROCE55 Mobile: Web API App PROCE55 Mobile with Test Web API App Web API App Example This example shows how to access a typical Web API using your mobile phone via Internet. The returned data is in JSON
THE BUSINESS CASE FOR OUTSIDE-IN DATA CENTER SECURITY
THE BUSINESS CASE FOR OUTSIDE-IN DATA CENTER SECURITY DATA CENTER WEB APPS NEED MORE THAN IP-BASED DEFENSES AND NEXT-GENERATION FIREWALLS table of contents.... 2.... 4.... 5 A TechTarget White Paper Does
We will show you how we bypassed every XSS mitigation we tested. Mitigation bypass-ability via script gadget chains in 16 popular libraries
We will show you how we bypassed every XSS mitigation we tested. Mitigation bypass-ability via script gadget chains in 16 popular libraries PoCs included Content Security Policy WAFs whitelists nonces
What's new in AppScan Standard/Enterprise/Source version
What's new in AppScan Standard/Enterprise/Source version 9.0.3.4 support Open Mic Reminder: You must dial-in to the phone conference to listen to the panelists. The web cast does not include audio. USA
The Web of Confusion. Douglas Crockford Yahoo! Inc.
The Web of Confusion Douglas Crockford Yahoo! Inc. http://crockford.com/codecamp/confusion.ppt Web 2.0 Security and Privacy The problems started in 1995. We have made no progress on the fundamental problems
Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West
Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing Advancing Expertise in Security Testing Taming the Wild West Canberra, Australia 1 Who is this guy? Andrew
The Eval that Men Do
The Eval that Men Do Gregor Richard Christian Hammer Brian Burg Jan Vitek Vincent Foley-Bourgon COMP-621 - Winter 2014 McGill University February 2014 The paper Information 3 authors from Purdue University
More on JavaScript Functions
More on JavaScript Functions Nesting Function Definitions Function definitions can be nested. function hypotenuse(a, b) function square(x) return x * x; return Math.sqrt(square(a) + square(b));
Malicious Web Page Detection Based on Anomaly Behavior
Malicious Web Page Detection Based on Anomaly Behavior Chia-Mei Chen Department of Information Management, National Sun Yat-Sen University, Taiwan 2009/7/28 1 Outline 1 Introductions 2 The Proposed Approach
Practical Automated Web Application Attack Techniques Justin Clarke Gotham Digital Science Gotham Digital Science Ltd
Practical Automated Web Application Attack Techniques Justin Clarke Gotham Digital Science Why this talk? The techniques are well known, but how about some way of applying ppy them? Commercial tools are
What's new in AppScan Standard version
What's new in AppScan Standard version 9.0.3.5 IBM Audio Security Connection support dialog by Open access Mic the Slides and more information: http://www.ibm.com/support/docview.wss?uid=swg27049311 February
CIS 700/002 : Special Topics : OWASP ZED (ZAP)
CIS 700/002 : Special Topics : OWASP ZED (ZAP) Hitali Sheth CIS 700/002: Security of EMBS/CPS/IoT Department of Computer and Information Science School of Engineering and Applied Science University of
Security Solution. Web Application
Web Application Security Solution Netsparker is a web application security solution that can be deployed on premise, on demand or a combination of both. Unlike other web application security scanners,
PES DEGREE COLLEGE BANGALORE SOUTH CAMPUS 1 K.M. before Electronic City, Bangalore WEB PROGRAMMING Solution Set II
PES DEGREE COLLEGE BANGALORE SOUTH CAMPUS 1 K.M. before Electronic City, Bangalore 560 100 WEB PROGRAMMING Solution Set II Section A 1. This function evaluates a string as javascript statement or expression
Hacking 102 Integrating Web Application Security Testing into Development
Hacking 102 Integrating Web Application Security Testing into Development Greg Pedley - gpedley@au1.ibm.com Brett Wallace - bretwal@au1.ibm.com Denice Wong deniwong@au1.ibm.com An IBM Proof of Technology
Comp 426 Midterm Fall 2013
Comp 426 Midterm Fall 2013 I have not given nor received any unauthorized assistance in the course of completing this examination. Name: PID: This is a closed book exam. This page left intentionally blank.
A Structural Operational Semantics for JavaScript
Dept. of Computer Science, Stanford University Joint work with Sergio Maffeis and John C. Mitchell Outline 1 Motivation Web Security problem Informal and Formal Semantics Related work 2 Formal Semantics
Security. CSC309 TA: Sukwon Oh
Security CSC309 TA: Sukwon Oh Outline SQL Injection NoSQL Injection (MongoDB) Same Origin Policy XSSI XSS CSRF (XSRF) SQL Injection What is SQLI? Malicious user input is injected into SQL statements and
SQL Injection Attacks and Defense
SQL Injection Attacks and Defense Justin Clarke Lead Author and Technical Editor Rodrigo Marcos Alvarez Dave Hartley Joseph Hemler Alexander Kornbrust Haroon Meer Gary O'Leary-Steele Alberto Revelli Marco
Protect your apps and your customers against application layer attacks
Protect your apps and your customers against application layer attacks Development 1 IT Operations VULNERABILITY DETECTION Bots, hackers, and other bad actors will find and exploit vulnerabilities in web
How to Sandbox IIS Automatically without 0 False Positive and Negative
How to Sandbox IIS Automatically without 0 False Positive and Negative Professor Tzi-cker Chiueh Computer Science Department Stony Brook University chiueh@cs.sunysb.edu 1/10/06 Blackhat Federal 2006 1
Web Application Attacks
Web Application Attacks What can an attacker do and just how hard is it? By Damon P. Cortesi IOActive, Inc. Comprehensive Computer Security Services www.ioactive.com cortesi:~
Hacking Web Sites Cross Site Scripting
Hacking Web Sites Cross Site Scripting Emmanuel Benoist Spring Term 2018 Berner Fachhochschule Haute cole spcialise bernoise Berne University of Applied Sciences 1 Table of Contents Presentation Stored
CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis
CSE361 Web Security Attacks against the client-side of web applications Nick Nikiforakis nick@cs.stonybrook.edu Despite the same origin policy Many things can go wrong at the client-side of a web application
Web 2.0 Attacks Explained
Web 2.0 Attacks Explained Kiran Maraju, CISSP, CEH, ITIL, ISO27001, SCJP Email: Kiran_maraju@yahoo.com Abstract This paper details various security concerns and risks associated with web 2.0 technologies
Securing your Appeon Mobile & Web Applications
Securing your Appeon Mobile & Web Applications For PowerBuilder, Appeon Web & Appeon Mobile Powered by Sponsored by An Actual Implementation Case Study! By Chris Pollach President: Software Tool & Die
a bayesian approach to privacy enforcement in smartphones
USENIX Security, 2014 a bayesian approach to privacy enforcement in smartphones Omer Tripp!! IBM Research, NY!! Julia Rubin!! IBM Research, Haifa 1 motivation * http://hackread.com/android-malware-steals-credit-card-information/
Ruby on Rails Secure Coding Recommendations
Introduction Altius IT s list of Ruby on Rails Secure Coding Recommendations is based upon security best practices. This list may not be complete and Altius IT recommends this list be augmented with additional
Brochure. Security. Fortify on Demand Dynamic Application Security Testing
Brochure Security Fortify on Demand Dynamic Application Security Testing Brochure Fortify on Demand Application Security as a Service Dynamic Application Security Testing Fortify on Demand delivers application
Wayward Wi-Fi. How Rogue Hotspots Can Hijack Your Data and Put Your Mobile Devices at Risk
Wayward Wi-Fi How Rogue Hotspots Can Hijack Your Data and Put Your Mobile Devices at Risk 288 MILLION There are more than 288 million unique Wi-Fi networks worldwide. Source: Wireless Geographic Logging
Fortify Software Security Content 2017 Update 4 December 15, 2017
Software Security Research Release Announcement Micro Focus Security Fortify Software Security Content 2017 Update 4 December 15, 2017 About Micro Focus Security Fortify SSR The Software Security Research