Web Security Vulnerabilities: Challenges and Solutions

Similar documents
Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

Certified Ethical Hacker V9

October, 2012 Vol 1 Issue 8 ISSN: (Online) Web Security

Certified Ethical Hacker

OWASP Top 10 The Ten Most Critical Web Application Security Risks

ISDP 2018 Industry Skill Development Program In association with

Client-Side Detection of SQL Injection Attack

Oklahoma State University Institute of Technology Face-to-Face Common Syllabus Fall 2017

STUDENT LEARNING OUTCOMES Beacom College of Computer and Cyber Sciences

Advanced Security Tester Course Outline

Master of Cyber Security, Strategy and Risk Management. CECS PG Information Session April 17, 2018

Ethical Hacking Foundation Exam Syllabus

ITT Technical Institute. CS420 Application Security Onsite Course SYLLABUS

Penetration testing.

Instructor: Eric Rettke Phone: (every few days)

The GenCyber Program. By Chris Ralph

Software Reliability and Reusability CS614

Copyright

C1: Define Security Requirements

CyberSecurity Training and Capacity Building: A Starting Point for Collaboration and Partnerships. from the most trusted name in information security

Tautology based Advanced SQL Injection Technique A Peril to Web Application

CPTE: Certified Penetration Testing Engineer

Training on CREST Practitioner Security Analyst (CPSA)

North Dakota State University Fargo, ND Ph.D. in Software Engineering Emphasis area: Security Requirements Engineering

UIUC. Application of Game Theory to High Assurance Cloud Computing. 20 September 2016

ACS / Computer Security And Privacy. Fall 2018 Mid-Term Review

SECURITY TRAINING SECURITY TRAINING

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

Security Stream for Computer Science

DIS10.1 Ethical Hacking and Countermeasures

Bachelor of Information Technology (Network Security)

COMPUTER TECHNOLOGY (COMT)

SOAP: SENSITIVE OPERATIONAL ATTRIBUTE PATTERN BASED VULNERABILITY ANALYSIS FOR BUSINESS INTELLIGENCE USING RULE SETS

CSWAE Certified Secure Web Application Engineer

INFORMATION SESSION. MS Software Engineering, specialization in Cybersecurity

The Devils Behind Web Application Vulnerabilities

PROGRAMME SPECIFICATION

Introducing Cyber Resiliency Concerns Into Engineering Education

ASSIUT UNIVERSITY. Faculty of Computers and Information Department of Information Technology. on Technology. IT PH.D. Program.

Improving Security in the Application Development Life-cycle

BSIT 1 Technology Skills: Apply current technical tools and methodologies to solve problems.

DIS10.1:Ethical Hacking and Countermeasures

Tool-Supported Cyber-Risk Assessment

Defying Logic. Theory, Design, and Implementation of Complex Systems for Testing Application Logic. Rafal Los, Prajakta Jagdale

MARCH Secure Software Development WHAT TO CONSIDER

Standard Course Outline IS 656 Information Systems Security and Assurance

An Overview of Mobile Security

Multi-hashing for Protecting Web Applications from SQL Injection Attacks

Detecting XSS Based Web Application Vulnerabilities

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

Web Application Vulnerabilities: OWASP Top 10 Revisited

UNCLASSIFIED R-1 ITEM NOMENCLATURE FY 2013 OCO

Call for Papers for Communication QoS, Reliability and Modeling Symposium

Application Security Approach

CSD Project Overview DHS SCIENCE AND TECHNOLOGY. Dr. Ann Cox. March 13, 2018

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

Degree Branch / Specialization College University CSE SONA COLLEGE OF TECHNOLOGY : ASSISTANT PROFESSOR (SENIOR GRADE) ASSISTANT PROFESSOR

CSCE 813 Internet Security Case Study II: XSS

Tiger Scheme QST/CTM Standard

Architecture-Based Self-Protecting Software Systems Adnan Alawneh CS 788

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access

Inverting Risk Management for Ethical Hacking. SecureWorld Expo 09

THE BUSINESS CASE FOR OUTSIDE-IN DATA CENTER SECURITY

Detecting Botnets Using Cisco NetFlow Protocol

Fundamentals of Information Systems Security Lesson 5 Auditing, Testing, and Monitoring

Solutions Business Manager Web Application Security Assessment

CS 356 Operating System Security. Fall 2013

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Elevation of Privilege

You will discuss topics related to ethical hacking, information risks, and security techniques which hackers will seek to circumvent.

Web Applications Penetration Testing

Certified Secure Web Application Engineer

Dr. Imran Khan University of Nebraska-Lincoln Marketing (402)

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

hidden vulnerabilities

City University of Hong Kong. Course Syllabus. offered by Department of Information Systems with effect from Semester A 2017 / 2018

Hacker Academy UK. Black Suits, White Hats!

DoS Cyber Attack on a Government Agency in Europe- April 2012 Constantly Changing Attack Vectors

OVERVIEW OF SUBJECT REQUIREMENTS

SQL Injection. Meganadha Reddy K. Technical Trainer NetCom Learning Meganadha Reddy K., 2015

Top 10 Database Security Threats and How to Stop Them. Rob Rachwald Director of Security Strategy

Security Communications and Awareness

SOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications

Topics. Ensuring Security on Mobile Devices

6 MILLION AVERAGE PAY. CYBER Security. How many cyber security professionals will be added in 2019? for popular indursty positions are

Chapter 1 Ethical Hacking Overview. Revised

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

Dmitry Ishchenko/Reynaldo Nuqui/Steve Kunsman, September 21, 2016 Collaborative Defense of Transmission and Distribution Protection & Control Devices

An Introduction to the Waratek Application Security Platform

A Personal Information Retrieval System in a Web Environment

Ethical Hacker Foundation and Security Analysts Course Semester 2

SINGLE COURSE. NH9000 Certified Ethical Hacker 104 Total Hours. COURSE TITLE: Certified Ethical Hacker

"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary

EasyCrypt passes an independent security audit

The University of Queensland

Internet infrastructure

ISAO SO Product Outline

The Cost of Denial-of-Services Attacks

A Passage to Penetration Testing!

Web Gate Keeper: Detecting Encroachment in Multi-tier Web Application

Transcription:

Web Security Vulnerabilities: Challenges and Solutions A Tutorial Proposal for ACM SAC 2018 by Dr. Hossain Shahriar Department of Information Technology Kennesaw State University Kennesaw, GA 30144, USA Email: hshahria@kennesaw.edu ACM SAC 2018 Tutorial Proposal Page 1 of 5

1. Title: Web Security Vulnerabilities: Challenges and Solutions 2. Duration: Half day, 3 hours 3. Abstract We rely on web applications to perform many useful activities. Despite the awareness over the past decade on secure programming practices and tools on vulnerability discovery in the implementation, we still observe the presence of known vulnerabilities. Both the client sides and server sides are responsible to let attackers exploiting vulnerabilities with malicious inputs. Web services are used as integral part of web applications and they remain vulnerable when not implemented securely. Given that an understanding of the common vulnerabilities for applications and services are essential for practitioners to tame the unsecured web. In this tutorial, we will provide an overview of common vulnerabilities for web applications and web services, followed by common techniques useful to combat against security threats. In particular, we will discuss implementation level vulnerabilities for applications (e.g., code injection, object injection, clickjacking) along with a popular mitigation approach known as security testing. We also focus on web service security vulnerabilities and exploitation techniques followed by best practices. 4. Motivation, target audience, and interest for the SAC community Most of reported security breaches reported (e.g., OWASP) have shown to be related to implementation level vulnerabilities. The consequence of vulnerabilities could result in unwanted consequences such as bypassing of legitimate login procedure, hijacking of session information, deletion or alteration of sensitive data, execution of arbitrary code supplied by hackers, and passing of sensitive information to unwanted third parties. Given that this tutorial is intended to raise awareness and guide practitioners to prevent the consequences. The tutorial is intended for software designers and developers, security testers, academic researchers, scientists, and graduate students. As the tutorial is addressing one of the most emerging and crucial issues in security and quality assurance, it demonstrates an extremely high degree of relevance and addresses a broad spectrum of potential attendees of ACM SAC 2018. The tutorial will benefit related stakeholders to understand the most common program security vulnerabilities. Moreover, it will allow relevant professionals to apply appropriate vulnerability mitigation techniques. 5. Outline of the tutorial The tutorial consists of three major parts. In the first part, we briefly discuss some of the most common vulnerabilities that are widely discovered in programs. We provide an idea on how the exploitations of four commonly discovered web security vulnerabilities (SQL injection, Cross-site scripting, Object Injection, Clickjacking, Denial of Service) can lead to many unwanted behaviors such as login bypassing. In the second part, we introduce the vulnerability mitigation process based on security testing, static analysis, and intrusion detection system. We explore both black box and white box approaches. In particular, our discussion will focus on some key aspects to conduct the testing ACM SAC 2018 Tutorial Proposal Page 2 of 5

process such as test case generation method, source of test case, and vulnerability coverage. We discuss some of test case generation techniques in details followed by open issues. In the third part, we discuss the common vulnerabilities for web services with a taxonomy followed by example of mitigation approaches from the literature and available tools. For each of the part, we provide estimated duration, subtopics as below in structure of contents followed by a list of the most relevant literatures. Structure of Contents Introduction (10 min) o Motivation and background Application vulnerabilities (Part 1: 40 min) o SQL Injection o Cross-Site Scripting o Object Injection o Clickjacking o Denial of Service Mitigation approaches (Part 2: 40 min) o Taxonomy of security testing o Static analysis based security testing o Intrusion Detection System Service Vulnerabilities and Mitigation (Part 3: 30 min) o Taxonomy of web service vulnerabilities o Prevention and solution Summary (10 min) References 1. R Bronte, H Shahriar, HM Haddad, Mitigating distributed denial of service attacks at the application layer, Proceedings of the 32 nd Symposium on Applied Computing (SAC), April 2017, Marrakech, Morocco, pp. 693-696. 2. R Bronte, H Shahriar, HM Haddad, A signature-based intrusion detection system for web applications based on genetic algorithm, Proceedings of the 9 th International Conference on Security of Information and Networks (SIN), July 2016, Newark, NJ, USA, pp. 32-39. 3. R Bronte, H Shahriar, H Haddad, Information Theoretic Anomaly Detection Framework for Web Application, Proceedings of the 40 th IEEE Computer Software and Applications Conference (COMPSAC), Atlanta, GA, USA, June 2016, pp. 394-399. 4. H Shahriar, HM Haddad, P Bulusu, OCL Fault Injection-Based Detection of LDAP Query Injection Vulnerabilities, Proceedings of the 40 th IEEE Computer Software and Applications Conference (COMPSAC), Atlanta, GA, USA, June 2016, pp. 455-460. 5. H Shahriar, HM Haddad, Object injection vulnerability discovery based on latent semantic indexing, Proceedings of the 31 st Annual ACM Symposium on Applied Computing (SAC), Pisa, Italy, April 2016, pp. 801-807. ACM SAC 2018 Tutorial Proposal Page 3 of 5

6. H Shahriar, HM Haddad, VK Devendran, Request and Response Analysis Framework for Mitigating Clickjacking Attacks, International Journal of Secure Software Engineering (IJSSE), Vol. 6, Issue 3, 2015, pp. 1-25. 7. H Shahriar, HM Haddad, Security assessment of clickjacking risks in web applications: metrics based approach, Proceedings of the 30 th Annual ACM Symposium on Applied Computing (SAC), Geyonju, South Korea, March 2014, pp. 791-797. 6. Specific goals and learning objectives After completing the tutorial, the participants will be able to Identify the cause of web application and web service security vulnerabilities and demonstrate the consequence of vulnerabilities with attack payloads Describe various security testing approaches including static analysis, test case generation with genetic algorithms, intrusion detection-based defense Apply some secure programming principles to prevent vulnerabilities 7. Expected background of the audience Participants are expected to have some familiarity with web application development using PHP/JSP. Knowledge of SQL, JavaScript, and XML will be helpful. 8. Presenter bios Dr. Hossain Shahriar is an Assistant Professor of Information Technology at Kennesaw State University, Georgia, USA since Fall 2012. He received his PhD in Computing from Queen s University, Canada in 2012. His research interests include cyber security, particularly application (web, mobile) security vulnerabilities and mitigation approaches, risk assessment techniques, and metric-based attack detection. He also teaches cyber security courses such as Ethical Hacking. Dr. Shahriar has published more than 70 peer reviewed research articles on various topics within cyber security in International Journals, Conferences, and Book Chapters including ACM SAC, ACM SIN, IEEE HASE, IEEE COMPSAC, Computer & Security, and ACM Computing Survey. He has been a reviewer for many international journals and PC member of international conferences on software, computer, and application security. He served as Fast Abstract Chair in IEEE COMPSAC 2015-2017, Program Chair in ACM SIN 2016, Publicity Chair in IEEE COMPSAC 2017, Publication Chair in ACM SAC 2017 and 2018, and Student Research Competition Chair in ACM SAC 2016. Currently, he is also a Co-PI of a funded research project from National Science Foundation on Secure Mobile Application Development aiming to develop open source labware resources. Dr. Shahriar is a professional member of ACM, SIGAPP, and IEEE. 9. Audio Visual equipment needed for the presentation Projector for power point slide show would be sufficient. ACM SAC 2018 Tutorial Proposal Page 4 of 5

10. Teaching materials on the topic by the presenter a) Tutorial in International Conference 1. Secure and Reliable Mobile Applications: Challenges and Approaches, In ACM SAC 2016, Pisa, Italy. 2. Security of Web Applications and Browsers: Challenges and Solutions, In ACM SAC 2015, Salamanca, Spain. 3. Mitigation of Program Security Vulnerabilities: Approaches and Challenges, In ACM SAC 2014, Gyeongju, South Korea. 4. Mitigation of Program Security Vulnerabilities: Approaches and Challenges, In IEEE ISSRE 2012, Dallas, TX, USA. 5. Mitigation of Program Security Vulnerabilities: Approaches and Challenges, In ACM SAC 2011, Taichung, Taiwan. b) Academic courses 1. Ethical Hacking and Networking Defense (IT4843), Kennesaw State University, USA. 2. Information Security Administration (IT6823), Kennesaw State University, USA. 3. Health Information Security and Privacy (IT6533), Kennesaw State University, GA, USA. 4. Computing Security (CS6040), Kennesaw State University, GA, USA. 5. Theory of Networking & Security (CS3550), Kennesaw State University, GA, USA. 6. Secure Software Development (CS4550), Kennesaw State University, GA, USA. ACM SAC 2018 Tutorial Proposal Page 5 of 5

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback