The Devils Behind Web Application Vulnerabilities

Similar documents
Effective Detection of SQL/XPath Injection Vulnerabilities in Web Services

Benchmarking Vulnerability Detection Tools for Web Services

Protecting Database Centric Web Services Against SQL/XPath Injection Attacks

October, 2012 Vol 1 Issue 8 ISSN: (Online) Web Security

Practical Guide to Securing the SDLC

OUTLINE PERFORMANCE BENCHMARKING 7/23/18 SUB BENCHMARKING THE SECURITY OF SOFTWARE SYSTEMS OR TO BENCHMARK OR NOT TO BENCHMARK

Web Security Vulnerabilities: Challenges and Solutions

City, University of London Institutional Repository

Analyzing & Defining Web Application Vulnerabilities With Dynamic Analysis And Web Mining

INTERNATIONAL JOURNAL OF PURE AND APPLIED RESEARCH IN ENGINEERING AND TECHNOLOGY

Vulnerability & Attack Injection for Web Applications

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

MATERIALS AND METHOD

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

n Explain penetration testing concepts n Explain vulnerability scanning concepts n Reconnaissance is the first step of performing a pen test

Blind XPath Injection Attack: A Case Study

Continuously Discover and Eliminate Security Risk in Production Apps

ShiftLeft. Real-World Runtime Protection Benchmarking

Product Security Program

Security Testing. John Slankas

NOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect

Unit Level Secure by Design Approach

Implementation Ids for Web Security Mechanism against Injection and Multiple Attacks

Is Your Web Application Really Secure? Ken Graf, Watchfire

John Coggeshall Copyright 2006, Zend Technologies Inc.

Maximum Security with Minimum Impact : Going Beyond Next Gen

Comparing SQL Injection Detection Tools Using Attack Injection: An Experimental Study

Integrated Web Application Firewall (WAF) & Distributed Denial Of Service (DDoS) Mitigation For Today s Enterprises

OWASP Top David Caissy OWASP Los Angeles Chapter July 2017

Application Security Use Cases. RASP, WAF, NGWAF, What The Hell is The Difference.

Using Threat Analytics to Protect Privileged Access and Prevent Breaches

90% of data breaches are caused by software vulnerabilities.

Engineering Your Software For Attack

OWASP 5/07/09. The OWASP Foundation OWASP Static Analysis (SA) Track Session 1: Intro to Static Analysis

SOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications

CSCE 813 Internet Security Case Study II: XSS

UC Secure Software Development Standard

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

IBM Rational Software

Generating String Attack Inputs Using Constrained Symbolic Execution. presented by Kinga Dobolyi

GOING WHERE NO WAFS HAVE GONE BEFORE

CS 161 Computer Security

Under the hood testing - Code Reviews - - Harshvardhan Parmar

Detecting XSS Based Web Application Vulnerabilities

A SURVEY ON ROUTINE DETECTION OF WEB APPLICATION DEFENCE FLAWS

Presentation of a Pattern to Counteract the Attacks of XSS Malware

Building Security Into Applications

Simple Overflow. #include <stdio.h> int main(void){ unsigned int num = 0xffffffff;

CIS 4360 Secure Computer Systems XSS

"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary

Protect your apps and your customers against application layer attacks

Vulnerability Discovery with Attack Injection

Training and Certifying Security Testers Beyond Penetration Testing

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

An Introduction to the Waratek Application Security Platform

CYSE 411/AIT 681 Secure Software Engineering. Topic #6. Seven Software Security Touchpoints (III) Instructor: Dr. Kun Sun

4. Risk-Based Security Testing. Reading. CYSE 411/AIT 681 Secure Software Engineering. Seven Touchpoints. Application of Touchpoints

Mitigating Security Breaches in Retail Applications WHITE PAPER

Lecture 4: Threats CS /5/2018

Development*Process*for*Secure* So2ware

CSWAE Certified Secure Web Application Engineer

SECURE CODING PART 1 MAGDA LILIA CHELLY ENTREPRENEUR CISO ADVISOR CYBERFEMINIST PEERLYST BRAND AMBASSADOR TOP 50 CYBER CYBER

Cyber Hygiene: Uncool but necessary. Automate Endpoint Patching to Mitigate Security Risks

Aguascalientes Local Chapter. Kickoff

THE CONTRAST ASSESS COST ADVANTAGE

EXECUTIVE REPORT ADOBE SYSTEMS, INC. COLDFUSION SECURITY ASSESSMENT

OWASP Top 10 The Ten Most Critical Web Application Security Risks

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Vulnerability Assessment with Application Security

WEB APPLICATION SCANNERS. Evaluating Past the Base Case

NET 311 INFORMATION SECURITY

Building Secure Systems

Secure Development Lifecycle

Protect Your Application with Secure Coding Practices. Barrie Dempster & Jason Foy JAM306 February 6, 2013

Certified Secure Web Application Engineer

Preventing Injection Vulnerabilities through Context-Sensitive String Evaluation (CSSE)

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Application vulnerabilities and defences

SECURITY TESTING. Towards a safer web world

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

SDLC Maturity Models

Security Engineering for Software

Securing Your Web Application against security vulnerabilities. Alvin Wong, Brand Manager IBM Rational Software

The Top 6 WAF Essentials to Achieve Application Security Efficacy

n Learn about the Security+ exam n Learn basic terminology and the basic approaches n Implement security configuration parameters on network

Sample Exam ISTQB Advanced Test Analyst Answer Rationale. Prepared By

Improving Security in the Application Development Life-cycle

Webapps Vulnerability Report

Web Application Firewall Subscription on Cyberoam UTM appliances

Outline STRANGER. Background

Metrics, Methods and Tools to Measure Security and Trustworthiness

Meeting PCI DSS 3.2 Compliance with RiskSense Solutions

Secure Application Development. OWASP September 28, The OWASP Foundation

PT Unified Application Security Enforcement. ptsecurity.com

BUILDING APPLICATION SECURITY INTO PRODUCTION CONTAINER ENVIRONMENTS Informed by the National Institute of Standards and Technology

Double Guard: Detecting intrusions in Multitier web applications with Security

Chapter 5: Database Security

The Need for Confluence

A Novel Approach to Detect and Prevent Known and Unknown Attacks in Local Area Network

Malicious Code Analysis II

Transcription:

The Devils Behind Web Application Vulnerabilities Defending against Web Application Vulnerabilities IEEE Computer, February 2012 Nuno Antunes, Marco Vieira {nmsa, mvieira}@dei.uc.pt Postgrad Colloquium Software and Systems Engineering Centre for Informatics and Systems of the University of Coimbra

Outline n Background and Motivation n Developing Secure Code n Detecting Vulnerabilities n Detecting Attacks n What are we doing about it? n Conclusions 2

Security in Web Applications 3

Security Vulnerabilities... n Faults that leave space to an exploitation or a corruption of a system n Web applications are widely exposed n Hackers moved their focus from the network to application s code n Injection and Cross-Site Scripting (XSS) are the two most common vulnerabilities 4

are an important problem... n Create and feed an underground economy n Companies are aware of that: n OWASP Security Spending Benchmarks 2009 shows that investment in security is increasing n However... 5

this is not getting better! n NTA Web Application Security Reports show that Web Security is decreasing n According to WhiteHat Security Website Security Statistics Report, 63% of assessed websites are vulnerable n Something is wrong in the development of web applications! 6

The Solution n a defense-in-depth approach, with overlapping protections, can help secure Web applications [Howard02] 7

Security in Software Development Lifecycle Initialization Speci.ication and Design Implementation Testing Decommissioning Deployment 8

Developing Secure Code n The characteristics of Web applications suggest the use of three distinct lines of defense: n Input validation n Hotspot protection n Output validation 9

Input Validation n Reduce an application s input domain n All inputs are malicious until proven otherwise n Starts with normalization of the inputs n Uses filtering strategies to reject values outside the domain domain can allow malicious data: n e.g. in the case of SQL injection 10

Hotspot Protection n Each type of attack targets a hotspot: n Hotspot: a set of statements that is prone to specific types of vulnerabilities. n This line of defense focuses on protecting only key hotspots n e.g. SQL injection attacks use quotes ( or ): n Character Escaping n Parameterized commands/queries 11

Output Validation n Prevents users from receiving restricted information as: n Internal Exceptions that can lead to other attacks n Credit card numbers n Encoding is a example of output validation n Avoids XSS vulnerabilities 12

Why don t developers follow these practices? n Training and education n Security is boring and uninteresting n Someone else should take care of security n Security limits application functionality 13

Detecting Vulnerabilities n White-box analysis n Black-box testing n Limitations of Vulnerability Detection 14

White-Box Analysis n Analyze the code without actually executing it n Looks for potential vulnerabilities n Among other types of software defects n Requires access to the source code or bytecode n Automated tools provide an automatic way for highlighting possible coding errors Ignore the runtime perspective 15

Black-Box Testing n A specialization of Robustness Testing n Analyzes the program execution in the presence of malicious inputs, searching for vulnerabilities. n Does NOT require access to the source code or bytecode n Automated tools provide an automatic way to search for vulnerabilities n Avoid a large number of manual tests Ignore the internals of the application 16

Limitations of Vulnerability Detection n [Antunes09a] % Coverage % False Positives 17

Detecting Attacks n Consists of identifying deviations from the correct behavior n In runtime n Anomaly detection tools usually require a training phase with non-malicious requests n Signature-based tools look for patterns of a predefined set of rules or signatures 18

Limitations of Attack Detection [Elia10] n Tools only perform well in specific scenarios: n Anomaly-detection better for simpler applications n Signature-based better for complex applications n Achieve low detection coverage n less than 20 percent in many cases n Report many false alarms n as high as 50 percent of the alarms generated n Developers often lack the training required to create adequate configurations 19

What are we doing about it? n New vulnerability detection tools n Penetration Testing [Antunes09b] n Attack Signatures & Interface Monitoring n Runtime Anomaly Detection n Benchmarking vulnerability detection tools n Focused in Web Services 20

Sign-WS [Antunes11] Penetration Testing does not require access to the code Vulnerability detection can only rely on the analysis of the output n Effectiveness is limited by the lack of visibility on the internal behavior of the service n Solution: Using Interface Monitoring together with Attack Signatures n It is possible to obtain the information necessary to improve the Penetration Testing process n without accessing or modifying the internals of the application! 21

Experimental Results Tool Detection Coverage False Positive Rate Sign-WS 74.05% 0.00% VS1 32.28% 54.46% VS2 24.05% 61.22% VS3 1.90% 0.00% 22

CIVS-WS [Antunes09c] n A new Runtime Anomaly Detection Approach n To find SQL/XPath Injection Vulnerabilities n Combine the analysis of services responses with the analysis of the runtime behavior n Two phases: Profiling and Detection n Vulnerabilities are identified by comparing the structure of commands executed in the presence of attacks to the ones learned in the absence of attacks 23

Experimental Evaluation n Using the same set of Web Services Penetration testing Static Code Analysis 70" 60" 50" 40" 30" 20" 10" 0" 0# #False"Posi9ves" #Vulnerabili9es"detected" 5# 1# 65# 31# 22# 0# 6# VS1" VS2" VS3" CIVS.WS" 40" 35" 30" 25" 20" 15" 10" 5" 0" #"False"Posi8ves" 10# #"Vulnerable"Lines" 7# 0# 23# 28# 4# 28# 11# SA1" SA2" SA3" CIVS-WS" Tool False Positives % Coverage % Tool False Positives % Coverage % VS1 14% 47.7% SA1 23% 82.1% VS2 4% 33.8% SA2 26% 100.0% VS3 0% 9.2% SA3 27% 39.3% CIVS-WS 0% 100.0% CIVS-WS 0% 100.0% 24

Benchmarking Vuln. Detection Tools n [Antunes10] n Proposed an approach to benchmark the effectiveness of V. D. tools in web services n Procedures and measures were specified n A concrete benchmark was implemented n Targeting tools able to detect SQL Injection n A benchmarking example was conducted n Results show that the benchmark can be used to assess and compare different tools 25

Benchmarking Vuln. Detection Tools Tool % TP % FP CIVS 79% 0% SA1 55% 7% SA2 100% 36% SA3 14% 67% Results for CIVS-WS and static analysis Results for Penetration Testing Tool % TP % FP VS1 32% 54% VS2 24% 61% VS3 2% 0% VS4 24% 43% Benchmarked Tools Ranking 26

Conclusions n Developers must always consider security: n Use best practices in coding; n security testing; n use attack-detection systems; n Developers need help with training and the tools n Researchers should propose new tools: n New security testing tools n Possibly compile-time fixing of vulnerabilities 27

Questions http://xkcd.com/327/ More about this in: http://eden.dei.uc.pt/~nmsa Nuno Antunes Department of Informatics Engineering University of Coimbra nmsa@dei.uc.pt 28

References n n n n n n n [Antunes09a] Antunes, N. and Vieira, M., Comparing the Effectiveness of Penetration Testing and Static Code Analysis on the Detection of SQL Injection Vulnerabilities in Web Services, IEEE 15th Pacific Rim International Symposium on Dependable Computing (PRDC 09), Shanghai, China, November 2009. [Antunes09b] Antunes, N. and Vieira, M., Detecting SQL Injection Vulnerabilities in Web Services, Fourth Latin-American Symposium on Dependable Computing (LADC 2009), João Pessoa, Paraíba, Brazil, September 2009. [Antunes09c] Antunes, N. and Laranjeiro, N. and Vieira, M. and Madeira, H., "Effective Detection of SQL/XPath Injection Vulnerabilities in Web Services", IEEE International Conference on Services Computing (SCC 2009), Bangalore, India, September 2009. [Antunes10] Antunes, N. and Vieira, M., Benchmarking Vulnerability Detection Tools for Web Services, IEEE 8th International Conference on Web Services (ICWS 2010), Miami, Florida, USA, July 2010. [Antunes11] Antunes, N. and Vieira, M., Enhancing Penetration Testing with Attack Signatures and Interface Monitoring for the Detection of Injection Vulnerabilities in Web Services, IEEE 8th International Conference on Services Computing (SCC 2011), Washington, D.C., USA, 4-9 July 2011. [Howard02] M. Howard and D.E. Leblanc, Writing Secure Code, Redmond, Washington: Microsoft Press, 2002. [Elia10] I.A. Elia, J. Fonseca, and M. Vieira, Comparing SQL Injection Detection Tools Using Attack Injection: An Experimental Study, Proc. 21st IEEE Int l Symp. Software Reliability Engineering (ISSRE 2010), IEEE CS, 2010, p. 289-298. 29

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback