Static analysis of PHP applications
Size: px
Start display at page:

Download "Static analysis of PHP applications"

Transcription

1 Static analysis of PHP applications Ondřej Šerý DISTRIBUTED SYSTEMS RESEARCH GROUP CHARLES UNIVERSITY PRAGUE Faculty of Mathematics and Physics

2 References G. Wassermann, Z. Su: Static Detection of Cross-Site Scripting Vulnerabilities, Proceedings of 30 th International Conference on Software Engineering (ICSE 08). G. Wassermann, Z. Su: Sound and Precise Analysis of Web Applications for Injection Vulnerabilities, Proceedings of Programming Language Design and Implementation (PLDI 07). 2

3 PHP application vulnerability example <?php $user = $_GET["user"]; $query = "SELECT text FROM notes WHERE user_id = '$user'"; $result = mysql_query($query); $num = mysql_numrows($result); echo "<h1>your notes</h1>"; $i = 0; while ($i < $num) { $text = mysql_result($result, $i++, "text"); echo "<b>note #$i</b>$text<br>"; }?> 3

4 PHP application vulnerability example <?php $user = $_GET["user"]; $user = str_replace("'","''", $user); $query = "SELECT text FROM notes WHERE user_id = '$user'"; $result = mysql_query($query); $num = mysql_numrows($result); echo "<h1>your notes</h1>"; $i = 0; while ($i < $num) { $text = mysql_result($result, $i++, "text"); echo "<b>note #$i</b>$text<br>"; }?> 4

5 PHP application vulnerability example <?php $user = $_GET["user"]; $user = addslashes($user); $query = "SELECT text FROM notes WHERE user_id = '$user'"; $result = mysql_query($query); $num = mysql_numrows($result); echo "<h1>your notes</h1>"; $i = 0; while ($i < $num) { $text = mysql_result($result, $i++, "text"); echo "<b>note #$i</b>$text<br>"; }?> 5

6 PHP application vulnerability example <?php $user = $_GET["user"]; $user = mysql_real_escape_string($user); $query = "SELECT text FROM notes WHERE user_id = '$user'"; $result = mysql_query($query); $num = mysql_numrows($result); echo "<h1>your notes:</h1>"; $i = 0; while ($i < $num) { $text = mysql_result($result, $i++, "text"); echo "<b>note $i</b>$text<br/>"; }?> 6

7 PHP application vulnerability example <?php $user = $_GET["user"]; $user = mysql_real_escape_string($user); $query = "SELECT text FROM notes WHERE user_id = '$user'"; $result = mysql_query($query); $num = mysql_numrows($result); echo "<h1>your notes:</h1>"; }?> $i = 0; while ($i < $num) { $text = mysql_result($result, $i++, "text"); echo "<b>note $i</b>$text<br/>"; <script> document.location=' +document.cookie </script> 7

8 PHP application vulnerability example <?php $user = $_GET["user"]; $user = mysql_real_escape_string($user); $query = "SELECT text FROM notes WHERE user_id = '$user'"; $result = mysql_query($query); $num = mysql_numrows($result); echo "<h1>your notes:</h1>"; $i = 0; while ($i < $num) { $text = mysql_result($result, $i++, "text"); echo "<b>note $i</b>$text<br/>"; }?> <a href="javascript:document.location= ' </a> 8

9 Web application errors (SQLI, XSS) Considered the most dangerous bugs e.g. CWE ( 1) Cross-site scripting (XSS) 2) SQL Injection (SQLI) 3) Buffer overflow Exposition Large attack surface 24/7 exposition to an attacker 9

10 Motivation PHP is very popular Over domains 3 rd most popular language (March 2010) Based on Extremely easy to: Start Tons of tutorials Available on almost all web hostings Do it wrong! Prone to attacks SQLI, XSS Confusion addslashes() vs. pg_escape_string() Too many crappy information sources 10

11 Motivation Try google PHP Tutorial First 4 results that even get to DB access Not a single one shows SQLI protection right 1 downright wrong 2 at least mentioned the risk Inappropriate solution e.g., str_replace("'","''", $payload); 1 does not pass user input to the query No WHERE clause used XSS not mentioned like ever 11

12 Specifics and challenges? Dynamic nature Loss of semantics (and compiler checks) eval $meta_code_for_fun; Different levels of execution Server, DB Server, Client Little data and code separation The NX bit all over again Focus on strings Very precise information is necessary 12

13 Approaches (1) Client-side Crawling the website Pass invalid data to cause error / indicate XSS weakness For a list specific to XSS see, e.g., Concolic testing Find input to increase coverage Not specific to XSS In-browser protection BrowserShield Filters JavaScript to known vulnerabilities From a central server Not specific to XSS Beep (Browser-Enforced Embedded Policies) Browser asks the server to authorize trusted scripts Hard to deploy Both servers and clients have to be adapted 13

14 Approaches (2) Server-side Taint analysis Dataflow graph Sources, sanitizers, sinks How to find them? User classification Statistical guess Merlin Source: $data = _GET[ data ] $data = strtoupper ($data) Sanitizer: $safe = addslashes($data) Sink: mysql_query($query) Tainted $query = SELECT... $safe ; 14

15 Approaches (3) Server-side Static string analysis Symbolically represent possible string values More fine-grained that pure taint analysis 15

16 Static Detection of XSS Vulnerabilities Key idea: Set of string values Context-free grammar (CFG) String operations (e.g., stripslashes) Finite State Transducer (FST) A = \{ } B = \{ \} Taken from: G. Wassermann, Z. Su: Static Detection of Cross-Site Scripting Vulnerabilities, Proceedings of ICSE 08 Note: Image of CFG over FST CFG 16

17 Running example Taken from: G. Wassermann, Z. Su: Static Detection of Cross-Site Scripting Vulnerabilities, Proceedings of ICSE 08 17

18 Taken from: G. Wassermann, Z. Su: Static Detection of Cross-Site Scripting Vulnerabilities, Proceedings of ICSE 08 18

19 SSA form Taken from: G. Wassermann, Z. Su: Static Detection of Cross-Site Scripting Vulnerabilities, Proceedings of ICSE 08 19

20 Resulting CFG Taken from: G. Wassermann, Z. Su: Static Detection of Cross-Site Scripting Vulnerabilities, Proceedings of ICSE 08 20

21 Policy check Policies Set of violation patterns Represented as FSM Based on norms + Gecko code review Browsers are permissive more attack vectors Check Symbolic string value violation pattern i.e., CFG FSM 21

22 Results Taken from: G. Wassermann, Z. Su: Static Detection of Cross-Site Scripting Vulnerabilities, Proceedings of ICSE 08 22

23 Thank you for your attention! Try it yourself on the WebGoat tutorial Ask us for the url and credentials! 23

Similar documents

Finding Vulnerabilities in Web Applications

Finding Vulnerabilities in Web Applications Finding Vulnerabilities in Web Applications Christopher Kruegel, Technical University Vienna Evolving Networks, Evolving Threats The past few years have witnessed a significant increase in the number of

More information

CIS 700/002 : Special Topics : OWASP ZED (ZAP)

CIS 700/002 : Special Topics : OWASP ZED (ZAP) CIS 700/002 : Special Topics : OWASP ZED (ZAP) Hitali Sheth CIS 700/002: Security of EMBS/CPS/IoT Department of Computer and Information Science School of Engineering and Applied Science University of

More information

Security Analyses For The Lazy Superhero

Security Analyses For The Lazy Superhero #1 Security Analyses For The Lazy Superhero #2 One-Slide Summary We can statically detect buffer overruns in programs by modeling the space allocated for a buffer and the space used for a buffer. We cannot

More information

WEB SECURITY: XSS & CSRF

WEB SECURITY: XSS & CSRF WEB SECURITY: XSS & CSRF CMSC 414 FEB 22 2018 Cross-Site Request Forgery (CSRF) URLs with side-effects http://bank.com/transfer.cgi?amt=9999&to=attacker GET requests should have no side-effects, but often

More information

Preventing Injection Vulnerabilities through Context-Sensitive String Evaluation (CSSE)

Preventing Injection Vulnerabilities through Context-Sensitive String Evaluation (CSSE) IBM Zurich Research Laboratory Preventing Injection Vulnerabilities through Context-Sensitive String Evaluation (CSSE) Tadeusz Pietraszek Chris Vanden Berghe RAID

More information

Web Application Vulnerabilities: OWASP Top 10 Revisited

Web Application Vulnerabilities: OWASP Top 10 Revisited Pattern Recognition and Applications Lab Web Application Vulnerabilities: OWASP Top 10 Revisited Igino Corona igino.corona AT diee.unica.it Computer Security April 5th, 2018 Department of Electrical and

More information

CRAXweb: Web Testing and Attacks through QEMU in S2E. Shih-Kun Huang National Chiao Tung University Hsinchu, Taiwan

CRAXweb: Web Testing and Attacks through QEMU in S2E. Shih-Kun Huang National Chiao Tung University Hsinchu, Taiwan CRAXweb: Web Testing and Attacks through QEMU in S2E Shih-Kun Huang National Chiao Tung University Hsinchu, Taiwan skhuang@cs.nctu.edu.tw Motivation Symbolic Execution is effective to crash applications

More information

Vulnerabilities, exploits, and the secure design principles of Saltzer and Schroeder

Vulnerabilities, exploits, and the secure design principles of Saltzer and Schroeder Vulnerabilities, exploits, and the secure design principles of Saltzer and Schroeder What is a vulnerability? Management information stored in-band with regular information? Programming the weird machine?

More information

Web Security: Vulnerabilities & Attacks

Web Security: Vulnerabilities & Attacks Computer Security Course. Song Dawn Web Security: Vulnerabilities & Attacks Cross-site Scripting What is Cross-site Scripting (XSS)? Vulnerability in web application that enables attackers to inject client-side

More information

IronWASP (Iron Web application Advanced Security testing Platform)

IronWASP (Iron Web application Advanced Security testing Platform) IronWASP (Iron Web application Advanced Security testing Platform) 1. Introduction: IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability

More information

Code-Injection Attacks in Browsers Supporting Policies. Elias Athanasopoulos, Vasilis Pappas, and Evangelos P. Markatos FORTH-ICS

Code-Injection Attacks in Browsers Supporting Policies. Elias Athanasopoulos, Vasilis Pappas, and Evangelos P. Markatos FORTH-ICS Code-Injection Attacks in Browsers Supporting Policies Elias Athanasopoulos, Vasilis Pappas, and Evangelos P. Markatos FORTH-ICS What is all about? New code-injection attacks or return-to-libc attacks

More information

IS 2150 / TEL 2810 Introduction to Security

IS 2150 / TEL 2810 Introduction to Security IS 2150 / TEL 2810 Introduction to Security James Joshi Professor, SIS Lecture 15 April 20, 2016 SQL Injection Cross-Site Scripting 1 Goals Overview SQL Injection Attacks Cross-Site Scripting Attacks Some

More information

PHP Security. Kevin Schroeder Zend Technologies. Copyright 2007, Zend Technologies Inc.

PHP Security. Kevin Schroeder Zend Technologies. Copyright 2007, Zend Technologies Inc. PHP Security Kevin Schroeder Zend Technologies Copyright 2007, Zend Technologies Inc. Disclaimer Do not use anything you learn here for nefarious purposes Why Program Securely? Your job/reputation depends

More information

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security. Web Security Web Programming Uta Priss ZELL, Ostfalia University 2013 Web Programming Web Security Slide 1/25 Outline Web insecurity Security strategies General security Listing of server-side risks Language

More information

Security. CSC309 TA: Sukwon Oh

Security. CSC309 TA: Sukwon Oh Security CSC309 TA: Sukwon Oh Outline SQL Injection NoSQL Injection (MongoDB) Same Origin Policy XSSI XSS CSRF (XSRF) SQL Injection What is SQLI? Malicious user input is injected into SQL statements and

More information

Is Browsing Safe? Web Browser Security. Subverting the Browser. Browser Security Model. XSS / Script Injection. 1. XSS / Script Injection

Is Browsing Safe? Web Browser Security. Subverting the Browser. Browser Security Model. XSS / Script Injection. 1. XSS / Script Injection Is Browsing Safe? Web Browser Security Charlie Reis Guest Lecture - CSE 490K - 5/24/2007 Send Spam Search Results Change Address? Install Malware Web Mail Movie Rentals 2 Browser Security Model Pages are

More information

sottotitolo System Security Introduction Milano, XX mese 20XX A.A. 2016/17 Federico Reghenzani

sottotitolo System Security Introduction Milano, XX mese 20XX A.A. 2016/17 Federico Reghenzani Titolo presentazione Piattaforme Software per la Rete sottotitolo System Security Introduction Milano, XX mese 20XX A.A. 2016/17 Outline 1) Introduction to System Security 2) Basic Exploits 3) Network

More information

CHAPTER 8 CONCLUSION AND FUTURE ENHANCEMENTS

CHAPTER 8 CONCLUSION AND FUTURE ENHANCEMENTS 180 CHAPTER 8 CONCLUSION AND FUTURE ENHANCEMENTS 8.1 SUMMARY This research has focused on developing a Web Applications Secure System from Code Injection Vulnerabilities through Web Services (WAPS-CIVS),

More information

We will show you how we bypassed every XSS mitigation we tested. Mitigation bypass-ability via script gadget chains in 16 popular libraries

We will show you how we bypassed every XSS mitigation we tested. Mitigation bypass-ability via script gadget chains in 16 popular libraries We will show you how we bypassed every XSS mitigation we tested. Mitigation bypass-ability via script gadget chains in 16 popular libraries PoCs included Content Security Policy WAFs whitelists nonces

More information

NET 311 INFORMATION SECURITY

NET 311 INFORMATION SECURITY NET 311 INFORMATION SECURITY Networks and Communication Department Lec12: Software Security / Vulnerabilities lecture contents: o Vulnerabilities in programs Buffer Overflow Cross-site Scripting (XSS)

More information

DEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology

DEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology DEFENSIVE PROGRAMMING Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology Traditional Programming When writing a program, programmers typically

More information

CS 155 Project 2. Overview & Part A

CS 155 Project 2. Overview & Part A CS 155 Project 2 Overview & Part A Project 2 Web application security Composed of two parts Part A: Attack Part B: Defense Due date: Part A: May 5th (Thu) Part B: May 12th (Thu) Project 2 Ruby-on-Rails

More information

(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection

(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection Pattern Recognition and Applications Lab (System) Integrity attacks System Abuse, Malicious File upload, SQL Injection Igino Corona igino.corona (at) diee.unica.it Computer Security April 9, 2018 Department

More information

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14 Attacks Against Websites 3 The OWASP Top 10 Tom Chothia Computer Security, Lecture 14 OWASP top 10. The Open Web Application Security Project Open public effort to improve web security: Many useful documents.

More information

Generating String Attack Inputs Using Constrained Symbolic Execution. presented by Kinga Dobolyi

Generating String Attack Inputs Using Constrained Symbolic Execution. presented by Kinga Dobolyi Generating String Attack Inputs Using Constrained Symbolic Execution presented by Kinga Dobolyi What is a String Attack? Web applications are 3 tiered Vulnerabilities in the application layer Buffer overruns,

More information

PHP is a scripting language that can be embedded into HTML. Estimated 20 million PHP websites as of 2007

PHP is a scripting language that can be embedded into HTML. Estimated 20 million PHP websites as of 2007 Anthony Corch PHP is a scripting language that can be embedded into HTML Estimated 20 million PHP websites as of 2007 Extremely simple for a newcomer, but offers many advanced features for a professional

More information

HAMPI A Solver for String Theories

HAMPI A Solver for String Theories HAMPI A Solver for String Theories Vijay Ganesh MIT (With Adam Kiezun, Philip Guo, Pieter Hooimeijer and Mike Ernst) Dagstuhl, 2010 Motivation for String Theories String-manipulating programs ü String

More information

Computer Security 3e. Dieter Gollmann. Chapter 18: 1

Computer Security 3e. Dieter Gollmann. Chapter 18: 1 Computer Security 3e Dieter Gollmann www.wiley.com/college/gollmann Chapter 18: 1 Chapter 18: Web Security Chapter 18: 2 Web 1.0 browser HTTP request HTML + CSS data web server backend systems Chapter

More information

epldt Web Builder Security March 2017

epldt Web Builder Security March 2017 epldt Web Builder Security March 2017 TABLE OF CONTENTS Overview... 4 Application Security... 5 Security Elements... 5 User & Role Management... 5 User / Reseller Hierarchy Management... 5 User Authentication

More information

Web Applications (Part 2) The Hackers New Target

Web Applications (Part 2) The Hackers New Target Web Applications (Part 2) The Hackers New Target AppScan Source Edition Terence Chow Advisory Technical Consultant An IBM Rational IBM Software Proof of Technology Hacking 102: Integrating Web Application

More information

Ruby on Rails Secure Coding Recommendations

Ruby on Rails Secure Coding Recommendations Introduction Altius IT s list of Ruby on Rails Secure Coding Recommendations is based upon security best practices. This list may not be complete and Altius IT recommends this list be augmented with additional

More information

Software Security. Erik Poll. Digital Security group Radboud University Nijmegen

Software Security. Erik Poll. Digital Security group Radboud University Nijmegen Tackling Software Security problems Erik Poll Digital Security group Radboud University Nijmegen 1 Erik Poll Recall: input attacks malicious input application a bug! malicious input application (abuse

More information

OWASP 5/07/09. The OWASP Foundation OWASP Static Analysis (SA) Track Session 1: Intro to Static Analysis

OWASP 5/07/09. The OWASP Foundation OWASP Static Analysis (SA) Track Session 1: Intro to Static Analysis Static Analysis (SA) Track Session 1: Intro to Static Analysis Eric Dalci Cigital edalci at cigital dot com 5/07/09 Copyright The Foundation Permission is granted to copy, distribute and/or modify this

More information

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11 Attacks Against Websites Tom Chothia Computer Security, Lecture 11 A typical web set up TLS Server HTTP GET cookie Client HTML HTTP file HTML PHP process Display PHP SQL Typical Web Setup HTTP website:

More information

Riding out DOMsday: Toward Detecting and Preventing DOM Cross-Site Scripting. William Melicher Anupam Das Mahmood Sharif Lujo Bauer Limin Jia

Riding out DOMsday: Toward Detecting and Preventing DOM Cross-Site Scripting. William Melicher Anupam Das Mahmood Sharif Lujo Bauer Limin Jia Riding out DOMsday: Toward Detecting and Preventing DOM Cross-Site Scripting William Melicher Anupam Das Mahmood Sharif Lujo Bauer Limin Jia XSS vulnerabilities account for 25% of web vulnerabilities url.com/page#">attack

More information

Overview Cross-Site Scripting (XSS) Christopher Lam Introduction Description Programming Languages used Types of Attacks Reasons for XSS Utilization Attack Scenarios Steps to an XSS Attack Compromises

More information

A hybrid analysis framework for detecting web application vulnerabilities

A hybrid analysis framework for detecting web application vulnerabilities Università degli Studi di Milano Facoltà di Scienze Matematiche, Fisiche e Naturali Dipartimento di Informatica e Comunicazione A hybrid analysis framework for detecting web application vulnerabilities

More information

Ranking Vulnerability for Web Application based on Severity Ratings Analysis

Ranking Vulnerability for Web Application based on Severity Ratings Analysis Ranking Vulnerability for Web Application based on Severity Ratings Analysis Nitish Kumar #1, Kumar Rajnish #2 Anil Kumar #3 1,2,3 Department of Computer Science & Engineering, Birla Institute of Technology,

More information

Nemesis: Preventing Web Authentication & Access Control Vulnerabilities. Michael Dalton, Christos Kozyrakis Stanford University

Nemesis: Preventing Web Authentication & Access Control Vulnerabilities. Michael Dalton, Christos Kozyrakis Stanford University Nemesis: Preventing Web Authentication & Access Control Vulnerabilities Michael Dalton, Christos Kozyrakis Stanford University Nickolai Zeldovich Massachusetts Institute of Technology Web Application Overview

More information

Web Security. Jace Baker, Nick Ramos, Hugo Espiritu, Andrew Le

Web Security. Jace Baker, Nick Ramos, Hugo Espiritu, Andrew Le Web Security Jace Baker, Nick Ramos, Hugo Espiritu, Andrew Le Topics Web Architecture Parameter Tampering Local File Inclusion SQL Injection XSS Web Architecture Web Request Structure Web Request Structure

More information

CS 161 Computer Security

CS 161 Computer Security Raluca Ada Popa Spring 2018 CS 161 Computer Security Discussion 9 Week of March 19, 2018 Question 1 Warmup: SOP (15 min) The Same Origin Policy (SOP) helps browsers maintain a sandboxed model by preventing

More information

Security Engineering by Ross Andersson Chapter 18. API Security. Presented by: Uri Ariel Nepomniashchy 31/05/2016

Security Engineering by Ross Andersson Chapter 18. API Security. Presented by: Uri Ariel Nepomniashchy 31/05/2016 Security Engineering by Ross Andersson Chapter 18 API Security Presented by: Uri Ariel Nepomniashchy 31/5/216 Content What is API API developing risks Attacks on APIs Summary What is API? Interface for

More information

ISSTA : Software Testing and Analysis TAJ: Effective Taint Analysis of Web Applications, PLDI 2009

ISSTA : Software Testing and Analysis TAJ: Effective Taint Analysis of Web Applications, PLDI 2009 Slide 1 Hybrid Security Analysis of Web JavaScript Code via Dynamic Partial Evaluation Omer Tripp, Pietro Ferrara, Marco Pistoia IBM Watson Research Center ISSTA 2014 ISSTA : Software Testing and Analysis

More information

Ben Livshits and Úlfar Erlingsson. Microsoft Research

Ben Livshits and Úlfar Erlingsson. Microsoft Research Ben Livshits and Úlfar Erlingsson Microsoft Research Web application vulnerabilities more common than ever before The usual suspects: code injection vulnerabilities SQL injection Cross site scripting (XSS)

More information

DreamFactory Security Guide

DreamFactory Security Guide DreamFactory Security Guide This white paper is designed to provide security information about DreamFactory. The sections below discuss the inherently secure characteristics of the platform and the explicit

More information

Understanding Basic SQL Injection

Understanding Basic SQL Injection Understanding Basic SQL Injection SQL injection (also known as SQLI) is a code injection technique that occurs if the user-defined input data is not correctly filtered or sanitized of the string literal

More information

Symbolic String Verification: Combining String Analysis and Size Analysis

Symbolic String Verification: Combining String Analysis and Size Analysis Symbolic String Verification: Combining String Analysis and Size Analysis Fang Yu Tevfik Bultan Oscar H. Ibarra Deptartment of Computer Science University of California Santa Barbara, USA {yuf, bultan,

More information

Secure Programming Techniques

Secure Programming Techniques Secure Programming Techniques Meelis ROOS mroos@ut.ee Institute of Computer Science Tartu University spring 2014 Course outline Introduction General principles Code auditing C/C++ Web SQL Injection PHP

More information

Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing

Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing Mobile Malfeasance Exploring Dangerous Mobile Code Jason Haddix, Director of Penetration Testing Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to

More information

Don't Trust The Locals: Exploiting Persistent Client-Side Cross-Site Scripting in the Wild

Don't Trust The Locals: Exploiting Persistent Client-Side Cross-Site Scripting in the Wild Don't Trust The Locals: Exploiting Persistent Client-Side Cross-Site Scripting in the Wild Marius Steffens German OWASP Day 2018 joint work with Christian Rossow, Martin Johns and Ben Stock Dimensions

More information

Advanced Web Technology 10) XSS, CSRF and SQL Injection

Advanced Web Technology 10) XSS, CSRF and SQL Injection Berner Fachhochschule, Technik und Informatik Advanced Web Technology 10) XSS, CSRF and SQL Injection Dr. E. Benoist Fall Semester 2010/2011 1 Table of Contents Cross Site Request Forgery - CSRF Presentation

More information

Web Application Threats and Remediation. Terry Labach, IST Security Team

Web Application Threats and Remediation. Terry Labach, IST Security Team Web Application Threats and Remediation Terry Labach, IST Security Team IST Security Team The problem While we use frewalls and other means to prevent attackers from access to our networks, we encourage

More information

java -jar Xmx2048mb /Applications/burpsuite_pro_v1.5.jar

java -jar Xmx2048mb /Applications/burpsuite_pro_v1.5.jar Training: An Introduction to Burp Suite Part One By Mike Sheward Burp suite provides a solid platform for launching a web application security assessment. In this guide we re going to introduce the features

More information

OWASP TOP 10. By: Ilia

OWASP TOP 10. By: Ilia OWASP TOP 10 By: Ilia Alshanetsky @iliaa ME, MYSELF & I PHP Core Developer Author of Guide to PHP Security Security Aficionado WEB SECURITY THE CONUNDRUM USABILITY SECURITY YOU CAN HAVE ONE ;-) OPEN WEB

More information

Attack Vectors in Computer Security

Attack Vectors in Computer Security Attack Vectors in Computer Security Who Am I @WillGoard My first proper hacksoc talk I speak fluent greek Sell more pizzas have more fun Why attack vectors? Didn t know what to do for my dissertation Started

More information

Prevention Of Cross-Site Scripting Attacks (XSS) On Web Applications In The Client Side

Prevention Of Cross-Site Scripting Attacks (XSS) On Web Applications In The Client Side www.ijcsi.org 650 Prevention Of Cross-Site Scripting Attacks (XSS) On Web Applications In The Client Side S.SHALINI 1, S.USHA 2 1 Department of Computer and Communication, Sri Sairam Engineering College,

More information

The Most Dangerous Code in the Browser. Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan

The Most Dangerous Code in the Browser. Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Modern web experience Modern web experience Modern web experience Web apps Extensions NYTimes Chase AdBlock

More information

NAVEX: Precise and Scalable Exploit Generation for Dynamic Web Applications

NAVEX: Precise and Scalable Exploit Generation for Dynamic Web Applications NAVEX: Precise and Scalable Exploit Generation for Dynamic Web Applications Abeer Alhuzali, Rigel Gjomemo, Birhanu Eshete, and V.N. Venkatakrishnan University of Illinois at Chicago 1 Web Applications

More information

I n p u t. This time. Security. Software. sanitization ); drop table slides. Continuing with. Getting insane with. New attacks and countermeasures:

I n p u t. This time. Security. Software. sanitization ); drop table slides. Continuing with. Getting insane with. New attacks and countermeasures: This time Continuing with Software Security Getting insane with I n p u t sanitization ); drop table slides New attacks and countermeasures: SQL injection Background on web architectures A very basic web

More information

Outline STRANGER. Background

Outline STRANGER. Background Outline Malicious Code Analysis II : An Automata-based String Analysis Tool for PHP 1 Mitchell Adair 2 November 28 th, 2011 Outline 1 2 Credit: [: An Automata-based String Analysis Tool for PHP] Background

More information

Some Facts Web 2.0/Ajax Security

Some Facts Web 2.0/Ajax Security /publications/notes_and_slides Some Facts Web 2.0/Ajax Security Allen I. Holub Holub Associates allen@holub.com Hackers attack bugs. The more complex the system, the more bugs it will have. The entire

More information

Vulnerability & Attack Injection for Web Applications

Vulnerability & Attack Injection for Web Applications Vulnerability & Attack Injection for Web Applications José Fonseca Marco Vieira Henrique Madeira DSN, Estoril, Portugal, 30/06/2009 University of Coimbra, Portugal Presentation Outline Research problem

More information

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang WEB SECURITY WORKSHOP TEXSAW 2014 Presented by Solomon Boyd and Jiayang Wang Introduction and Background Targets Web Applications Web Pages Databases Goals Steal data Gain access to system Bypass authentication

More information

Understanding and Automatically Preventing Injection Attacks on Node.js

Understanding and Automatically Preventing Injection Attacks on Node.js Understanding and Automatically Preventing Injection Attacks on Node.js Michael Pradel TU Darmstadt Joint work with Cristian Staicu (TU Darmstadt) and Ben Livshits (Microsoft Research, Redmond) 1 Why JavaScript?

More information

Malicious Code Analysis II

Malicious Code Analysis II Malicious Code Analysis II STRANGER: An Automata-based String Analysis Tool for PHP Mitchell Adair November 28 th, 2011 Outline 1 STRANGER 2 Outline 1 STRANGER 2 STRANGER Credit: [STRANGER: An Automata-based

More information

SECURE CODING ESSENTIALS

SECURE CODING ESSENTIALS SECURE CODING ESSENTIALS DEFENDING YOUR WEB APPLICATION AGAINST CYBER ATTACKS ROB AUGUSTINUS 30 MARCH 2017 AGENDA Intro - A.S. Watson and Me Why this Presentation? Security Architecture Secure Code Design

More information

Secure Coding and Code Review. Berlin : 2012

Secure Coding and Code Review. Berlin : 2012 Secure Coding and Code Review Berlin : 2012 Outline Overview of top vulnerabilities Code review practice Secure design / writing secure code Write some secure code Review a volunteer's code Top Problems

More information

An Empirical Study of PHP Feature Usage: A Static Analysis Perspective

An Empirical Study of PHP Feature Usage: A Static Analysis Perspective An Empirical Study of PHP Feature Usage: A Static Analysis Perspective Mark Hills, Paul Klint, and Jurgen J. Vinju CWI, Software Analysis and Transformation (SWAT) ISSTA 2013 Lugano, Switzerland July 16-18,

More information

The OWASP Foundation

The OWASP Foundation Application Bug Chaining July 2009 Mark Piper User Catalyst IT Ltd. markp@catalyst.net.nz Copyright The Foundation Permission is granted to copy, distribute and/or modify this document under the terms

More information

ROSAEC Survey Workshop SELab. Soohyun Baik

ROSAEC Survey Workshop SELab. Soohyun Baik ROSAEC Survey Workshop SELab. Soohyun Baik Cross-Site Scripting Prevention with Dynamic Data Tainting and Static Analysis Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel,

More information

Ben Livshits and Úlfar Erlingsson. Microsoft Research

Ben Livshits and Úlfar Erlingsson. Microsoft Research Ben Livshits and Úlfar Erlingsson Microsoft Research Web application vulnerabilities more widespread than ever The usual suspects from Web 1.0 SQL injection Cross site scripting (XSS) Cross site request

More information

Under the hood testing - Code Reviews - - Harshvardhan Parmar

Under the hood testing - Code Reviews - - Harshvardhan Parmar Under the hood testing - Code Reviews - - Harshvardhan Parmar In the news September 2011 A leading bank s Database hacked (SQLi) June 2011 Sony hack exposes consumer passwords (SQLi) April 2011 Sony sites

More information

Simple Overflow. #include <stdio.h> int main(void){ unsigned int num = 0xffffffff;

Simple Overflow. #include <stdio.h> int main(void){ unsigned int num = 0xffffffff; Simple Overflow 1 #include int main(void){ unsigned int num = 0xffffffff; printf("num is %d bits long\n", sizeof(num) * 8); printf("num = 0x%x\n", num); printf("num + 1 = 0x%x\n", num + 1); }

More information

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Application Security through a Hacker s Eyes James Walden Northern Kentucky University Application Security through a Hacker s Eyes James Walden Northern Kentucky University waldenj@nku.edu Why Do Hackers Target Web Apps? Attack Surface A system s attack surface consists of all of the ways

More information

Sta$c Analysis Dataflow Analysis

Sta$c Analysis Dataflow Analysis Sta$c Analysis Dataflow Analysis Roadmap Overview. Four Analysis Examples. Analysis Framework Soot. Theore>cal Abstrac>on of Dataflow Analysis. Inter- procedure Analysis. Taint Analysis. Overview Sta>c

More information

Securing Software Applications Using Dynamic Dataflow Analysis. OWASP June 16, The OWASP Foundation

Securing Software Applications Using Dynamic Dataflow Analysis. OWASP June 16, The OWASP Foundation Securing Software Applications Using Dynamic Dataflow Analysis Steve Cook OWASP June 16, 2010 0 Southwest Research Institute scook@swri.org (210) 522-6322 Copyright The OWASP Foundation Permission is granted

More information

CS 161 Computer Security

CS 161 Computer Security Nick Weaver Fall 2018 CS 161 Computer Security Homework 3 Due: Friday, 19 October 2018, at 11:59pm Instructions. This homework is due Friday, 19 October 2018, at 11:59pm. No late homeworks will be accepted

More information

Analysis of Hypertext Isolation Techniques for Cross-site Scripting Prevention. Mike Ter Louw Prithvi Bisht V.N. Venkatakrishnan

Analysis of Hypertext Isolation Techniques for Cross-site Scripting Prevention. Mike Ter Louw Prithvi Bisht V.N. Venkatakrishnan Analysis of Hypertext Isolation Techniques for Cross-site Scripting Prevention Mike Ter Louw Prithvi Bisht V.N. Venkatakrishnan Outline Motivation Hypertext isolation Design challenges Conclusion Quote

More information

The security of Mozilla Firefox s Extensions. Kristjan Krips

The security of Mozilla Firefox s Extensions. Kristjan Krips The security of Mozilla Firefox s Extensions Kristjan Krips Topics Introduction The extension model How could extensions be used for attacks - website defacement - phishing attacks - cross site scripting

More information

SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0

SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0 Welcome BIZEC Roundtable @ IT Defense, Berlin SAP Security BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0 February 1, 2013 Andreas Wiegenstein CTO, Virtual Forge 2 SAP Security SAP security is a complex

More information

Web Security IV: Cross-Site Attacks

Web Security IV: Cross-Site Attacks 1 Web Security IV: Cross-Site Attacks Chengyu Song Slides modified from Dawn Song 2 Administrivia Lab3 New terminator: http://www.cs.ucr.edu/~csong/sec/17/l/new_terminator Bonus for solving the old one

More information

Assignment 6: Web Security

Assignment 6: Web Security COS 432 November 20, 2017 Information Security Assignment 6: Web Security Assignment 6: Web Security This project is due on Monday, December 4 at 11:59 p.m.. Late submissions will be penalized by 10% per

More information

PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH

PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH Faculty of Computer Science Institute of Systems Architecture, Operating Systems Group PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH THE WEB AS A DISTRIBUTED SYSTEM 2 WEB HACKING SESSION 3 3-TIER persistent

More information

IEEE Sec Dev Conference

IEEE Sec Dev Conference IEEE Sec Dev Conference #23, Improving Attention to Security in Software Design with Analytics and Cognitive Techniques Jim Whitmore (former) IBM Distinguished Engineer Carlisle, PA jjwhitmore@ieee.org

More information

OWASP Top 10 The Ten Most Critical Web Application Security Risks

OWASP Top 10 The Ten Most Critical Web Application Security Risks OWASP Top 10 The Ten Most Critical Web Application Security Risks The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain

More information

Hacking 102 Integrating Web Application Security Testing into Development

Hacking 102 Integrating Web Application Security Testing into Development Hacking 102 Integrating Web Application Security Testing into Development Greg Pedley - gpedley@au1.ibm.com Brett Wallace - bretwal@au1.ibm.com Denice Wong deniwong@au1.ibm.com An IBM Proof of Technology

More information

CSE 127 Computer Security

CSE 127 Computer Security CSE 127 Computer Security Fall 2015 Web Security I: SQL injection Stefan Savage The Web creates new problems Web sites are programs Partially implemented in browser» Javascript, Java, Flash Partially implemented

More information

SAMATE (Software Assurance Metrics And Tool Evaluation) Project Overview. Tim Boland NIST May 29,

SAMATE (Software Assurance Metrics And Tool Evaluation) Project Overview. Tim Boland NIST May 29, SAMATE (Software Assurance Metrics And Tool Evaluation) Project Overview Tim Boland NIST May 29, 2012 http://samate.nist.gov t.boland@nist.gov 1 NationaI Institute of Standards and Technology (NIST) NIST,

More information

Honours/Master/PhD Thesis Projects Supervised by Dr. Yulei Sui

Honours/Master/PhD Thesis Projects Supervised by Dr. Yulei Sui Honours/Master/PhD Thesis Projects Supervised by Dr. Yulei Sui Projects 1 Information flow analysis for mobile applications 2 2 Machine-learning-guide typestate analysis for UAF vulnerabilities 3 3 Preventing

More information

Software Security problems. Erik Poll. Digital Security group Radboud University Nijmegen

Software Security problems. Erik Poll. Digital Security group Radboud University Nijmegen Software Security problems Erik Poll Digital Security group Radboud University Nijmegen Problems with Insecure input handling is the most common security problem aka lack of input validation, but that

More information

Security issues. Unit 27 Web Server Scripting Extended Diploma in ICT 2016 Lecture: Phil Smith

Security issues. Unit 27 Web Server Scripting Extended Diploma in ICT 2016 Lecture: Phil Smith Security issues Unit 27 Web Server Scripting Extended Diploma in ICT 2016 Lecture: Phil Smith Criteria D3 D3 Recommend ways to improve web security when using web server scripting Clean browser input Don

More information

Secure Programming Lecture 8++: SQL Injection

Secure Programming Lecture 8++: SQL Injection Secure Programming Lecture 8++: SQL Injection David Aspinall, Informatics @ Edinburgh 9th February 2016 Outline Overview Other past attacks More examples Classification Injection route and motive Forms

More information

Secure coding practices

Secure coding practices Secure coding practices www.infosys.com/finacle Universal Banking Solution Systems Integration Consulting Business Process Outsourcing Secure coding practices Writing good code is an art but equally important

More information

A D V I S O R Y S E R V I C E S. Web Application Assessment

A D V I S O R Y S E R V I C E S. Web Application Assessment A D V I S O R Y S E R V I C E S Web Application Assessment March 2009 Agenda Definitions Landscape of current web applications Required skills Attack surface Scope Methodology Soft skills 2 Definitions

More information

CMPSC 497: Static Analysis

CMPSC 497: Static Analysis CMPSC 497: Static Analysis Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Computer Science and Engineering Department Pennsylvania State University Page 1 Our Goal In this course,

More information

Applications Security

Applications Security Applications Security OWASP Top 10 PyCon Argentina 2018 Objectives Generate awareness and visibility on web-apps security Set a baseline of shared knowledge across the company Why are we here / Trigger

More information

Solutions Business Manager Web Application Security Assessment

Solutions Business Manager Web Application Security Assessment White Paper Solutions Business Manager Solutions Business Manager 11.3.1 Web Application Security Assessment Table of Contents Micro Focus Takes Security Seriously... 1 Solutions Business Manager Security

More information

International Journal of Scientific & Engineering Research Volume 8, Issue 5, May ISSN

International Journal of Scientific & Engineering Research Volume 8, Issue 5, May ISSN International Journal of Scientific & Engineering Research Volume 8, Issue 5, May-2017 80 WEB APPLICATION VULNERABILITY PREDICTION USING MACHINE LEARNING 1 Vignesh M, 2 Dr. K. Kumar 1 PG Scholar, 2 Assistant

More information

BOOSTING THE SECURITY OF YOUR ANGULAR 2 APPLICATION

BOOSTING THE SECURITY OF YOUR ANGULAR 2 APPLICATION BOOSTING THE SECURITY OF YOUR ANGULAR 2 APPLICATION Philippe De Ryck NG-BE Conference, December 9 th 2016 https://www.websec.be ABOUT ME PHILIPPE DE RYCK My goal is to help you build secure web applications

More information

Maximizing the speed of time based SQL injection data retrieval

Maximizing the speed of time based SQL injection data retrieval Maximizing the speed of time based SQL injection data retrieval 30c3, Hamburg, 29.12.2013 Arnim' ; DROP TABLE students;-- ) Introduction SQL injection SQLi is #1 of OWASP Top 10 Web vulnerabilities Sample

More information
2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback