Security testing: a key challenge for software engineering. Yves Le Traon, yves.letraon@uni.lu Professor, Univ of Luxembourg
|
|
- Morgan Francis
- 8 years ago
- Views:
Transcription
1 Security testing: a key challenge for software engineering Yves Le Traon, yves.letraon@uni.lu Professor, Univ of Luxembourg 1
2 Objectives of the presentation - Promote applied research in systematic security testing - How? - Results of three research experiments - Lessons learnt - Open challenges 2
3 The perimeter of the talk Hacker Misuse the application by : - Exploiting flaws in the application Exploit vulnerabilities: -code injection - Bypass attacks - HTML JavaScript Flash Java Applets Requests Responses Information System JSP PHP DB Security mechanisms Client Web app. firewall Server 3
4 Overview Testing security? About XSS, web browsers and regression testing About mobile apps attack surface (Android) About internal information system security Emerging security testing challenges 4
5 About testing security 5
6 - 6 - Looking for bugs and other errors
7 Software testing: cost and trust Testing Design for testability (2) Design for trust Detecting inconsistencies between implementation and specification Testing Testing (1) Reliability Em Real Decrease Decrease with reg 7
8 Classical testing issues About XSS, web browsers and regression testing 8
9 Regression testing: From chaos to order 9
10 Software regression failures Non regression Chaotic Regression version 1 Version 2 Version 3 Version 4 Version 5 Version6 versions 10
11 Security and sofware engineering Program understanding/reverse engineering About mobile apps attack surface (Android) 11
12 Software testing vs. Security Testing Book: Open Close Read Functional testing: It works as expected Robustness testing: Then should still work Security testing: Very particular robustness Then should still work 12
13 Security testing is two fold Tester as a hacker (Pentest) Tester of the Security policy Security mechanisms Requests Responses Security mechanisms Client Web app. firewall Server Information System
14 About XSS, web browsers and regression testing Erwan Abgrall PhD Kereval, France Sylvain Gombault researcher telecom Bretagne 15
15 Attacking process Victim (web browser) Attacker Web server XSS attack Vector executed? Client request Generates the web page embedding an attack vector Compromised Web browser Attacker takes control XSS TestDriver 16
16 Vector / Payload / Attack Vector: piece of HTML code enabling JavaScript code execution Payload: The javascript code to be executed <script>alert(1)</script> Attack: Injection that makes the server generate the vector ></input><script>alert(1)</ script> 17
17 Attack surface of a web browser Code within a web browser that can be run by an attacker The set of executable vectors in a given browser XSS Test Driver aims at exercising this code 18
18 Selection of XSS test vectors Referenced vectors XSS Cheat Sheet : html5 xss cheat sheet: UTF-7 XSS Cheat Sheet: Final benchmark can be found New vectors generation {html4tag} X {property} X {JScall} 6 new vectors combinations 19
19 Example 1 svg based xss <g> onload <svg xmlns=" onload="javascript:%(eval_payload)s"></g></s vg> 20
20 Example 2 SVG chameleon behavior via embedded XSLT version="1.0"?> <?xmlstylesheet type="text/xml" href="#stylesheet"?> <!DOCTYPE doc [ <!ATTLIST xsl:stylesheet id ID #REQUIRED>]> <svg xmlns=" <xsl:stylesheet id="stylesheet" version="1.0" xmlns:xsl=" <xsl:template match="/"> <iframe xmlns=" src="javascript:%(eval_payload)s"></iframe> </xsl:template> </xsl:stylesheet> <circle fill="red" r="40"></circle> </svg> 21
21 Evading known signatures: Root vs. obfuscated vectors ROOT <script>alert(1)</script> OBFUSCATED <DIV STYLE="width:expression(eval(String.from CharCode(97,108,101,114,116,40,39,120, 115,115,39,41,32)));"> 22
22 Evading known signatures: Root vs. obfuscated vectors v1 v2 v3 v82 v83 v84 V3-with-comment1 V3-with-comment2 V3-with-commentn V3-with-comment2-encoded1 V3-with-comment2-encoded2 V3-with-comment2-encodedp Noxiousness of an obfuscated XSS Noxiousness of a root XSS 23
23 24 Web browser test mechanism
24 25
25 Are mobiles protected? NO! Web browser is the n 1 application for smartphones These browsers inherit the defects from their parent browsers Webkit / Gecko / Presto They even access more information Data URI & specific functionalities HTML Storage Saved Identifiers, since typing password is tedious on mobiles Camera API, Vibrator API, Contacts API WebAPI 26
26 27 Attack surface over time
27 Regression is about deltas Ideally: convergence In practice Vn Vn+1 Vn Vn+1 Delta(Vn, Vn+1) 28
28 Opera Opera variation 0 29
29 Internet Explorer IE 4.01 IE 5.01 IE 5.5 IE 6.0 IE 7.0 (beta 3) IE 8.0 IE 9.0 (beta) 30
30 31 Netscape
31 32 Mozilla
32 Firefox
33 34 Chrome
34 35 Android browser
35 One step further: Test for counter attacking A web browser differs from one another by its many features, one of them being its specific sensitivity to XSS attack vectors. identifying a fake user-agent determining the exact nature of an attacker's web browser for protecting and possibly counter-attacking. 36
36 Counter-attacking process Victim (web browser) UA(IE8.0) Attacker FakeUA(IE8.0) XSS Tests Web server Are you who you pretend? Chrome1.997! XSS attack with payload 37
37 Test Method for attacker identification Use the reaction of a given web browser to such known XSS vectors as a signature identifies it precisely (family and version) Test driven web browser fingerprinting 38
38 Results the exact version of a web browser (out of 77) can be determined thanks to its signature (71% of accuracy). 6 XSS test vectors are sufficient to quickly determine the exact family a web browser belongs to, with an accuracy of 98.6 % 39
39 Lessons learnt and challenges No obvious systematic regression testing strategy for security Urgent need for A tooled environment to systematically run regression tests An updated benchmark of XSS vectors Research Challenges Automate the generation of test vectors Collaborative FuzzTesting: Shazzer Possibly MBT? Using dynamic tests to detect and identify an attack 40
40 About mobile apps attack surface (Android) Alexandre Bartel PhD - UL Jacques Klein Researcher - UL 41
41 Permission-based architectures 42
42 Android Overview (1/2) Android = Software Stack 43
43 Android Overview (2/2) Android = permission based system Every application has a list of permissions Each permission controls access to a specific resource Android 2.2 declares in total 142 high-level permissions. Developers write the permission list Application 1 INTERNET CAMERA READ_SMS Example of Permission List 44
44 Permission Gap Permission Gap = {Declared Permission Set} - {Inferred Permission Set} Consequence: the attack surface is larger Example: attacker exploits a buffer overflow in a C library -> he could take advantage of the permission which is declared but not used by the application. -> How often do applications present a permission gap? 45
45 Code Static analysis: control flowgraph 46
46 Permission-Based Security Model
47 Android framework evaluation Android v2.2 bytecode and obtained a matrix M composed of 3957 methods We identified 4852 permissions checks in the framework Google maintains more than 4000 enforcement points Not necessarily programmed in a systematic way Documentation and maintenance issues 48
48 Case study : 1355 Android applications (Alternative Markets, Nov. 2011) 3.91% 12.47% 3.99% 6.57% 9.52% 8.71% 9.52% 16.24% 11.88% 1.85% 4.13% 5.76% 5.46% games communications news sports travel health entertainment reference system multimedia finance shopping productivity 358 / 1355 have a permission gap (26.4 %) 49
49 Evaluation of the Android Framework Matrix Comparison with testing [Felt,2011] At least 3 permissions were missing Combining results from testing (underapproximation) and static analysis (overapproximation) may yield correct results 51
50 ublic void onactivityresult(int, int, android.content.intent); Code: Testing and localizing suspicious byte code 0: iload_1 1: tableswitch{ //999 to : 28; default: 20 } 20: aload_0 21: iload_1 22: iload_2 23: aload_3 24: invokespecial #378; //Method android/app/activity.onactivityresult:(iilandroid/content/intent;)v 27: return 28: iload_2 29: bipush -1 31: if_icmpne 20 34: aload_3 35: ldc_w #380; //String android.intent.extra.ringtone.picked_uri 38: invokevirtual #384; //Method android/content/intent.getparcelableextra:(ljava/lang/string;)landroid/os/parcelable; 41: checkcast #386; //class android/net/uri 44: astore 4 46: aload 4 48: ifnull 20 51: aload_0 52: iconst_1 53: aload 4 55: invokestatic #96; //Method SoundboardActivity android/media/ringtonemanager.setactualdefaultringtoneuri:(landroid/content/context;ilandroid/net/uri;)v 58: goto 20 public void onadclick(com.mobclix.android.sdk.mobclixadview); Code: 0: ldc #43; //String SoundboardActivity 2: ldc_w #390; //String Ad clicked! 5: invokestatic #393; //Method android/util/log.v:(ljava/lang/string;ljava/lang/string;)i 8: d/content/context;ilandroid/net/uri;) istore_2 9: return RingtoneManager.setActualDefaultRingtoneUri:(Landroi OK! public void oncreate(android.os.bundle); Code: 0: aload_0 1: aload_1 2: invokespecial #397; //Method android/app/activity.oncreate:(landroid/os/bundle;)v 5: aload_0 6: ldc_w #398; //int : invokevirtual #401; //Method setcontentview:(i)v 12: aload_0 13: aload_0 14: putfield #67; //Field mcontext:landroid/app/activity; 17: aload_0 18: invokestatic #406; //Method com/mobclix/android/sdk/mobclix.oncreate:(landroid/app/activity;)v 21: aload_0 22: ldc_w #398; //int
51 Android Inter component Communication Given one Android app : We use data-flow analysis to Compute a list of components the app. Communicate with Compute an interface showing how other apps. Could communicate with the app. Each app can be described with those 2 lists Data-flow Analysis Having this map opens the door to : Detect Intents which can be intercepted by other applications In general the map can be used to detect all kinds of ICC vulnerabilities Detect Application Collusion (apps which share permissions)
52 Application Collusion GPS INTERNET READ_CONTACT
53 Conclusion Android security and research challenges Could we understand how to improve Android apps security? Static analysis allows reducing the attack surface Combining testing and static analysis Locate the suspicious byte code? Detect malware Combining testing with static analysis 55
54 About internal information system security 56
55 In a nutshell security policy architecture PEP1 Security policy Test cases Validate security mechanisms PEP2 PDP PEPn PEP: Policy Enforcement Point PDP: Policy Decision Point Research questions: How to evaluate test quality? How to generate security test cases? Secure Application 3/22/2013 Tejeddine Tejeddine Mouelhi Mouelhi - MUTATION'12 - SnT 58
56 Security policy: rights and duties Access Control Rules Express permissions or prohibitions for users to access some resources of the system Based on an Access control models (RBAC, OrBAC, MAC, DAC,...) Permission(Library, Teacher, Borrow, Book, WorkingDays) Obligation policies About usages/duties The doctor should examine a patient within 20 minutes 59
57 Obligation Management Start Create duty Oblig Abstract Instantiation End(Ca) Concrete End(Ca) Start(Ca) Fulfilled Inactive Active Fulfilled Start(Cv) Inactive Violated End(Ca) Violated Fulfilled Fulfilled Violated End(Ca) 60
58 Security policy mutation analysis Access control Policy: R1 R2 Ri. Initial policy Access control Policy: R1 Access control Policy: Access control Policy: R2 R1 R3 R2 R1 Ri. R3 R2 Ri. R3 Ri. Mutants implementation Test cases Components (Security mechanisms, Access control) Use Communicate (Input validation, security protections) Collaborate DB Components (Security mechanisms, Access control) Use Application 61
59 Testing Access Control Reuse functional tests Code coverage CR1: 1 test case per declared rule CR2: 1 test case per concrete rule 62
60 Case studies #classes #methods #LOC LMS (Library Management System) VMS (Virtual Meeting Server) ASMS (Auction Sale Management System)
61 Number of mutants Operator category Op. LMS ASMS VMS Basic Mutation operators Type changing Parameter changing Hierarchy changing PPR PRP RRD CRD RPD APD Rule adding operator ANR Total
62 Mutation score Functional test cases are not sufficient 100% 78% 100% 100% 100% 87% 73% 69% 65% Functional CR1 49% CR2 0% LMS ASMS VMMS Overall mutation scores with basic security mutants
63 Mutation score Testing non-explicit rules is harder Functional 100% CR1 CR2 80% 60% 40% 20% 0% LMS ASMS VMMS Mutation scores with all mutants
64 Conclusion and research challenges A qualification process Some challenges Test generation for security policies Formal models MBT Combinatorial testing Test performances vs. security Regression testing when the security policy evolves
65 Emerging research challenge Putting the cloud under pressure 68
66 Tests must scale too: Peer-to-peer Load Testing Test methodology Normal load Distributed Denial of Service Attacks (DDoS) 69
67 Tests must scale too: Peer-to-peer Load Testing Test methodology Normal load Distributed Denial of Service Attacks (DDoS) 70
68 Overall conclusion Many open challenges Testing as a hacker Models for generating new vectors No test adequacy criteria Regression testing Testing IDS and security components Testing a security policy Already some adequacy criteria Formal modelling MBT Testing a cloud robustness Design for testable security Model-driven security 71
69 «intelligently react to abnormal situations and ensure the quality of the information» (P1 conclusion) Questions? 72
70 6th IEEE conference in software testing, verification and validation Luxembourg, 2013 Deadline: september 17 73
Testing security policies: going beyond functional testing
Testing security policies: going beyond functional testing Yves Le Traon, Tejeddine Mouelhi GET-ENST Bretagne 35576 Cesson Sévigné Cedex, France {yves.letraon,tejeddine.mouelhi} @enst-bretagne.fr Benoit
More informationMike Zusman 3/7/2011. OWASP Goes Mobile SANS AppSec Summit 2011
Mike Zusman 3/7/2011 OWASP Goes Mobile SANS AppSec Summit 2011 Agenda Introductions OWASP Summit Recap OWASP Mobile Top 10 v0.1 (DRAFT) 2 Who Are We Other than carbon-based multi-cellular life forms 3
More informationCreating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011 Agenda Evolving Threats Operating System Application User Generated Content JPL s Application Security Program Securing
More informationDetecting and Exploiting XSS with Xenotix XSS Exploit Framework
Detecting and Exploiting XSS with Xenotix XSS Exploit Framework ajin25@gmail.com keralacyberforce.in Introduction Cross Site Scripting or XSS vulnerabilities have been reported and exploited since 1990s.
More informationMetaXSSploit. Bringing XSS in Pentesting A journey in building a security tool. Claudio Criscione @paradoxengine
` MetaXSSploit Bringing XSS in Pentesting A journey in building a security tool Claudio Criscione @paradoxengine /me No Aff XSS And how a security tool is born! Relevant? Web Application Security Statistics
More informationCross-Site Scripting
Cross-Site Scripting (XSS) Computer and Network Security Seminar Fabrice Bodmer (fabrice.bodmer@unifr.ch) UNIFR - Winter Semester 2006-2007 XSS: Table of contents What is Cross-Site Scripting (XSS)? Some
More informationMutation Analysis for Security
Mutation Analysis for Security Mohammed Ennahbaoui, Said Elhajji To cite this version: Mohammed Ennahbaoui, Said Elhajji. Mutation Analysis for Security. International Journal of Advenced Research in Computer
More informationThe Image that called me
The Image that called me Active Content Injection with SVG Files A presentation by Mario Heiderich, 2011 Introduction Mario Heiderich Researcher and PhD student at the Ruhr- University, Bochum Security
More informationEVADING ALL WEB-APPLICATION FIREWALLS XSS FILTERS
EVADING ALL WEB-APPLICATION FIREWALLS XSS FILTERS SEPTEMBER 2015 MAZIN AHMED MAZIN@MAZINAHMED.NET @MAZEN160 Table of Contents Topic Page Number Abstract 3 Introduction 3 Testing Environment 4 Products
More informationTutorial on Smartphone Security
Tutorial on Smartphone Security Wenliang (Kevin) Du Professor wedu@syr.edu Smartphone Usage Smartphone Applications Overview» Built-in Protections (ios and Android)» Jailbreaking and Rooting» Security
More informationAPPLICATION SECURITY: FROM WEB TO MOBILE. DIFFERENT VECTORS AND NEW ATTACK
APPLICATION SECURITY: FROM WEB TO MOBILE. DIFFERENT VECTORS AND NEW ATTACK John T Lounsbury Vice President Professional Services, Asia Pacific INTEGRALIS Session ID: MBS-W01 Session Classification: Advanced
More informationWeb Design Technology
Web Design Technology Terms Found in web design front end Found in web development back end Browsers Uses HTTP to communicate with Web Server Browser requests a html document Web Server sends a html document
More informationOut of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet
Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet March 8, 2012 Stephen Kost Chief Technology Officer Integrigy Corporation Phil Reimann Director of Business Development
More informationWeb-Application Security
Web-Application Security Kristian Beilke Arbeitsgruppe Sichere Identität Fachbereich Mathematik und Informatik Freie Universität Berlin 29. Juni 2011 Overview Web Applications SQL Injection XSS Bad Practice
More informationThe Top Web Application Attacks: Are you vulnerable?
QM07 The Top Web Application Attacks: Are you vulnerable? John Burroughs, CISSP Sr Security Architect, Watchfire Solutions jburroughs@uk.ibm.com Agenda Current State of Web Application Security Understanding
More informationWeb Application Worms & Browser Insecurity
Web Application Worms & Browser Insecurity Mike Shema Welcome Background Hacking Exposed: Web Applications The Anti-Hacker Toolkit Hack Notes: Web Security Currently working at Qualys
More informationProgramming the Android Platform. Logistics
Programming the Android Platform CMSC498G Logistics Professor Adam Porter 4125 AVW aporter@cs.umd.edu Course meets W 3:00 3:50 in CSI 3118 1 Goals Learn more about Mobile devices Mobile device programming
More informationNetwork Security Testing using MMT: A case study in IDOLE project
Network Security Testing using MMT: A case study in IDOLE project Vinh Hoa LA PhD Student Prof. Ana CAVALLI Supevisor Telecom SudParis Institut Mines Telecom France IDOLE project IDOLE: 3-year French project
More informationBug Report. Date: March 19, 2011 Reporter: Chris Jarabek (cjjarabe@ucalgary.ca)
Bug Report Date: March 19, 2011 Reporter: Chris Jarabek (cjjarabe@ucalgary.ca) Software: Kimai Version: 0.9.1.1205 Website: http://www.kimai.org Description: Kimai is a web based time-tracking application.
More informationAcunetix Website Audit. 5 November, 2014. Developer Report. Generated by Acunetix WVS Reporter (v8.0 Build 20120808)
Acunetix Website Audit 5 November, 2014 Developer Report Generated by Acunetix WVS Reporter (v8.0 Build 20120808) Scan of http://filesbi.go.id:80/ Scan details Scan information Starttime 05/11/2014 14:44:06
More informationSECURITY B-SIDES: ATLANTA STRATEGIC PENETRATION TESTING. Presented by: Dave Kennedy Eric Smith
SECURITY B-SIDES: ATLANTA STRATEGIC PENETRATION TESTING Presented by: Dave Kennedy Eric Smith AGENDA Penetration Testing by the masses Review of current state by most service providers Deficiencies in
More informationChapter 1 Web Application (In)security 1
Introduction xxiii Chapter 1 Web Application (In)security 1 The Evolution of Web Applications 2 Common Web Application Functions 4 Benefits of Web Applications 5 Web Application Security 6 "This Site Is
More informationLatest Trends in Testing. Ajay K Chhokra
Latest Trends in Testing Ajay K Chhokra Introduction Software Testing is the last phase in software development lifecycle which has high impact on the quality of the final product delivered to the customer.
More informationProtect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities
Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities Protecting a business s IT infrastructure is complex. Take, for example, a retailer operating a standard multi-tier infrastructure
More informationSmartphone Security for Android Applications
Smartphone Security for Android Applications Steven Arzt Siegfried Rasthofer (Eric Bodden) 17.09.2013 Secure Software Engineering Group Steven Arzt and Siegfried Rasthofer 1 About Us PhD-Students at the
More informationWhat is Web Security? Motivation
brucker@inf.ethz.ch http://www.brucker.ch/ Information Security ETH Zürich Zürich, Switzerland Information Security Fundamentals March 23, 2004 The End Users View The Server Providers View What is Web
More informationModel-Based Vulnerability Testing for Web Applications
Model-Based Vulnerability Testing for Web Applications F. Lebeau, B. Legeard, F. Peureux, A. VERNOTTE FEMTO-ST Institute / University of Franche-Comté UMR CNRS 6174, 25030 Besancon, France. Smartesting
More informationDocument Structure Integrity: A Robust Basis for Cross-Site Scripting Defense
Document Structure Integrity: A Robust Basis for Cross-Site Scripting Defense Yacin Nadji Illinois Institute Of Technology Prateek Saxena UC Berkeley Dawn Song UC Berkeley 1 A Cross-Site Scripting Attack
More informationThe Web AppSec How-to: The Defenders Toolbox
The Web AppSec How-to: The Defenders Toolbox Web application security has made headline news in the past few years. Incidents such as the targeting of specific sites as a channel to distribute malware
More informationApplication Security Testing. Erez Metula (CISSP), Founder Application Security Expert ErezMetula@AppSec.co.il
Application Security Testing Erez Metula (CISSP), Founder Application Security Expert ErezMetula@AppSec.co.il Agenda The most common security vulnerabilities you should test for Understanding the problems
More informationAdvancements in Botnet Attacks and Malware Distribution
Advancements in Botnet Attacks and Malware Distribution HOPE Conference, New York, July 2012 Aditya K Sood Rohit Bansal Richard J Enbody SecNiche Security Department of Computer Science and Engineering
More informationWeb applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh
Web applications Web security: web basics Myrto Arapinis School of Informatics University of Edinburgh HTTP March 19, 2015 Client Server Database (HTML, JavaScript) (PHP) (SQL) 1 / 24 2 / 24 URLs HTTP
More informationWeb application security: automated scanning versus manual penetration testing.
Web application security White paper January 2008 Web application security: automated scanning versus manual penetration testing. Danny Allan, strategic research analyst, IBM Software Group Page 2 Contents
More informationA Tale of the Weaknesses of Current Client-side XSS Filtering
A Tale of the Weaknesses of Current Client-side XSS Filtering Sebastian Lekies (@sebastianlekies), Ben Stock (@kcotsneb) and Martin Johns (@datenkeller) Attention hackers! These slides are preliminary!
More informationISSECO Syllabus Public Version v1.0
ISSECO Syllabus Public Version v1.0 ISSECO Certified Professional for Secure Software Engineering Date: October 16th, 2009 This document was produced by the ISSECO Working Party Syllabus Introduction to
More informationNEXPOSE ENTERPRISE METASPLOIT PRO. Effective Vulnerability Management and validation. March 2015
NEXPOSE ENTERPRISE METASPLOIT PRO Effective Vulnerability Management and validation March 2015 KEY SECURITY CHALLENGES Common Challenges Organizations Experience Key Security Challenges Visibility gaps
More informationHow To Fix A Web Application Security Vulnerability
Proposal of Improving Web Application Security in Context of Latest Hacking Trends RADEK VALA, ROMAN JASEK Department of Informatics and Artificial Intelligence Tomas Bata University in Zlin, Faculty of
More informationWebapps Vulnerability Report
Tuesday, May 1, 2012 Webapps Vulnerability Report Introduction This report provides detailed information of every vulnerability that was found and successfully exploited by CORE Impact Professional during
More informationANDROID BASED MOBILE APPLICATION DEVELOPMENT and its SECURITY
ANDROID BASED MOBILE APPLICATION DEVELOPMENT and its SECURITY Suhas Holla #1, Mahima M Katti #2 # Department of Information Science & Engg, R V College of Engineering Bangalore, India Abstract In the advancing
More informationKEYWORDS: Internet Applications, Security, Languages, Review and evaluation.
[Madhusudhanan, 4(3): March, 2015] ISSN: 2277-9655 IJESRT INTERNATIONAL JOURNAL OF ENGINEERING SCIENCES & RESEARCH TECHNOLOGY WEB SECURITY VULNERABILITY ASSESSMENT AND RECOVERY MACHANISAM M.Madhusudhanan*,
More informationAttacks on Clients: Dynamic Content & XSS
Software and Web Security 2 Attacks on Clients: Dynamic Content & XSS (Section 7.1.3 on JavaScript; 7.2.4 on Media content; 7.2.6 on XSS) sws2 1 Recap from last lecture Attacks on web server: attacker/client
More informationSandy. The Malicious Exploit Analysis. http://exploit-analysis.com/ Static Analysis and Dynamic exploit analysis. Garage4Hackers
Sandy The Malicious Exploit Analysis. http://exploit-analysis.com/ Static Analysis and Dynamic exploit analysis About Me! I work as a Researcher for a Global Threat Research firm.! Spoke at the few security
More informationToward A Taxonomy of Techniques to Detect Cross-site Scripting and SQL Injection Vulnerabilities
NCSU CSC TR 2008-4 1 Toward A Taxonomy of Techniques to Detect Cross-site Scripting and SQL Injection Vulnerabilities Yonghee SHIN, Laurie WILLIAMS, Members, IEEE Abstract Since 2002, over half of reported
More informationWeb Pages. Static Web Pages SHTML
1 Web Pages Htm and Html pages are static Static Web Pages 2 Pages tagged with "shtml" reveal that "Server Side Includes" are being used on the server With SSI a page can contain tags that indicate that
More informationJava Web Application Security
Java Web Application Security RJUG Nov 11, 2003 Durkee Consulting www.rd1.net 1 Ralph Durkee SANS Certified Mentor/Instructor SANS GIAC Network Security and Software Development Consulting Durkee Consulting
More informationApplication security testing: Protecting your application and data
E-Book Application security testing: Protecting your application and data Application security testing is critical in ensuring your data and application is safe from security attack. This ebook offers
More informationCrosscheck Web Services Patent Pending Automated SOA Compliance and Security Assessment
Pagina 1 di 5 Hacking News Malwares Cyber Attack Vulnerabilities Hacking Groups Spying e.g. Hacking Facebook +1,310,745 163,900 392,600 +10m Follow Firing Range Open Source Web App Vulnerability Scanning
More informationelearning for Secure Application Development
elearning for Secure Application Development Curriculum Application Security Awareness Series 1-2 Secure Software Development Series 2-8 Secure Architectures and Threat Modeling Series 9 Application Security
More informationAdobe Flash Player and Adobe AIR security
Adobe Flash Player and Adobe AIR security Both Adobe Flash Platform runtimes Flash Player and AIR include built-in security and privacy features to provide strong protection for your data and privacy,
More informationAutomatic vs. Manual Code Analysis
Automatic vs. Manual Code Analysis 2009-11-17 Ari Kesäniemi Senior Security Architect Nixu Oy ari.kesaniemi@nixu.com Copyright The Foundation Permission is granted to copy, distribute and/or modify this
More informationSAFECode Security Development Lifecycle (SDL)
SAFECode Security Development Lifecycle (SDL) Michael Howard Microsoft Matthew Coles EMC 15th Semi-annual Software Assurance Forum, September 12-16, 2011 Agenda Introduction to SAFECode Security Training
More informationWeb Development. How the Web Works 3/3/2015. Clients / Server
Web Development WWW part of the Internet (others: Email, FTP, Telnet) Loaded to a Server Viewed in a Browser (Client) Clients / Server Client: Request & Render Content Browsers, mobile devices, screen
More informationThis session was presented by Jim Stickley of TraceSecurity on Wednesday, October 23 rd at the Cyber Security Summit.
The hidden risks of mobile applications This session was presented by Jim Stickley of TraceSecurity on Wednesday, October 23 rd at the Cyber Security Summit. To learn more about TraceSecurity visit www.tracesecurity.com
More informationWeb Application Penetration Testing
Web Application Penetration Testing 2010 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. Will Bechtel William.Bechtel@att.com
More informationWeb Application Security
Chapter 1 Web Application Security In this chapter: OWASP Top 10..........................................................2 General Principles to Live By.............................................. 4
More informationEffective Software Security Management
Effective Software Security Management choosing the right drivers for applying application security Author: Dharmesh M Mehta dharmeshmm@mastek.com / dharmeshmm@owasp.org Table of Contents Abstract... 1
More informationINTRUSION DECEPTION CZYLI BAW SIĘ W CIUCIUBABKĘ Z NAMI
INTRUSION DECEPTION CZYLI BAW SIĘ W CIUCIUBABKĘ Z NAMI Na przykładzie Junos WebApp Secure Edmund Asare INCONVENIENT STATISTICS 70% of ALL threats are at the Web application layer. Gartner 73% of organizations
More informationWebView addjavascriptinterface Remote Code Execution 23/09/2013
MWR InfoSecurity Advisory WebView addjavascriptinterface Remote Code Execution 23/09/2013 Package Name Date Affected Versions Google Android Webkit WebView 23/09/2013 All Android applications built with
More informationWeb Application Attacks And WAF Evasion
Web Application Attacks And WAF Evasion Ahmed ALaa (EG-CERT) 19 March 2013 What Are We Going To Talk About? - introduction to web attacks - OWASP organization - OWASP frameworks - Crawling & info. gathering
More informationNetwork Monitoring using MMT:
Network Monitoring using MMT: An application based on the User-Agent field in HTTP headers Vinh Hoa LA Ɨ Raul FUENTES Ɨ PhD Student Prof. Ana CAVALLI Ɨ Ƭ Supervisor Ɨ Telecom SudParis, IMT Ƭ Montimage
More informationCS 155 Final Exam. CS 155: Spring 2013 June 11, 2013
CS 155: Spring 2013 June 11, 2013 CS 155 Final Exam This exam is open book and open notes. You may use course notes and documents that you have stored on a laptop, but you may NOT use the network connection
More informationIBM Protocol Analysis Module
IBM Protocol Analysis Module The protection engine inside the IBM Security Intrusion Prevention System technologies. Highlights Stops threats before they impact your network and the assets on your network
More informationHow to Rob an Online Bank (and get away with it)
How to Rob an Online Bank (and get away with it) Mitja Kolsek ACROS Security Session ID: HT-108 Session Classification: Intermediate 2 3 Evolution Of E-banking Attacks PAST-PRESENT FUTURE Back-End Server
More informationMobile Application Security Sharing Session May 2013
Mobile Application Security Sharing Session Agenda Introduction of speakers Mobile Application Security Trends and Challenges 5 Key Focus Areas for an mobile application assessment 2 Introduction of speakers
More informationVulnerability-Focused Threat Detection: Protect Against the Unknown
Vulnerability-Focused Threat Detection: Protect Against the Unknown Vulnerabilities and threats are being discovered at a pace that traditional exploit-based attack detection technology cannot meet. Vulnerability-focused
More information02 B The Java Virtual Machine
02 B The Java Virtual Machine CS1102S: Data Structures and Algorithms Martin Henz January 22, 2010 Generated on Friday 22 nd January, 2010, 09:46 CS1102S: Data Structures and Algorithms 02 B The Java Virtual
More informationSTOPPING LAYER 7 ATTACKS with F5 ASM. Sven Müller Security Solution Architect
STOPPING LAYER 7 ATTACKS with F5 ASM Sven Müller Security Solution Architect Agenda Who is targeted How do Layer 7 attacks look like How to protect against Layer 7 attacks Building a security policy Layer
More informationSecurity Certification of Third- Parties Applications
Security Certification of Third- Parties Applications Stanislav Dashevskyi dashevskyi@fbk.eu Advisors: Fabio Massacci, Antonino Sabetta Agenda Introduction Third-party code in web applications Third-party
More informationYour Web and Applications
Governance and Risk Management Your Web and Applications The Hacker s New Target Anthony Lim MBA CISSP CSSLP FCITIL Director, Security, Asia Pacific Rational Software Social Engineering in the Business
More informationTHE HACKERS NEXT TARGET
Governance and Risk Management THE HACKERS NEXT TARGET YOUR WEB AND SOFTWARE Anthony Lim MBA CISSP CSSLP FCITIL Director, Security, Asia Pacific Rational Software ISC2 CyberSecurity Conference 09 Kuala
More informationAddressing Mobile Load Testing Challenges. A Neotys White Paper
Addressing Mobile Load Testing Challenges A Neotys White Paper Contents Introduction... 3 Mobile load testing basics... 3 Recording mobile load testing scenarios... 4 Recording tests for native apps...
More informationDNS REBINDING DENIS BARANOV, POSITIVE TECHNOLOGIES
DNS REBINDING DENIS BARANOV, POSITIVE TECHNOLOGIES TABLE OF CONTENTS 1 Bypassing The Restrictions 3 2 Putting It into Practice 5 3 Actual Load 7 4 Detection Of The Application Version 5 Guessing A/The
More informationInternational Journal of Advanced Engineering Research and Science (IJAERS) Vol-2, Issue-11, Nov- 2015] ISSN: 2349-6495
International Journal of Advanced Engineering Research and Science (IJAERS) Vol-2, Issue-11, Nov- 2015] Survey on Automation Testing Tools for Mobile Applications Dr.S.Gunasekaran 1, V. Bargavi 2 1 Department
More informationThe purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.
This sample report is published with prior consent of our client in view of the fact that the current release of this web application is three major releases ahead in its life cycle. Issues pointed out
More informationProtection, Usability and Improvements in Reflected XSS Filters
Protection, Usability and Improvements in Reflected XSS Filters Riccardo Pelizzi System Security Lab Department of Computer Science Stony Brook University May 2, 2012 1 / 19 Riccardo Pelizzi Improvements
More informationJoint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training - Session One
Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training - Session One End User Security, IS Control Evaluation & Self- Assessment Information Security Trends and Countermeasures
More informationChecking Access to Protected Members in the Java Virtual Machine
Checking Access to Protected Members in the Java Virtual Machine Alessandro Coglio Kestrel Institute 3260 Hillview Avenue, Palo Alto, CA 94304, USA Ph. +1-650-493-6871 Fax +1-650-424-1807 http://www.kestrel.edu/
More informationSESSION IDENTIFIER ARE FOR NOW, PASSWORDS ARE FOREVER
SESSION IDENTIFIER ARE FOR NOW, PASSWORDS ARE FOREVER XSS-BASED ABUSE OF BROWSER PASSWORD MANAGERS Ben Stock, Martin Johns, Sebastian Lekies Browser choices Full disclosure: Ben was an intern with Microsoft
More informationPCI Compliance Updates
PCI Compliance Updates E-Commerce / Cloud Security Adam Goslin, Chief Operations Officer AGoslin@HighBitSecurity.com Direct: 248.388.4328 PCI Guidance Google: PCI e-commerce guidance https://www.pcisecuritystandards.org/pdfs/pci_dss_v2_ecommerce_guidelines.pdf
More informationHow To Write A Web Server In Javascript
LIBERATED: A fully in-browser client and server web application debug and test environment Derrell Lipman University of Massachusetts Lowell Overview of the Client/Server Environment Server Machine Client
More informationWeb Application Firewalls: What the vendors do NOT want you to know SHAKACON III
Web Application Firewalls: What the vendors do NOT want you to know $ whois WendelGH PT Consultant at Trustwave's SpiderLabs. Over 7 years in the security industry. Vulnerability discovery Webmails, AP,
More informationUniversity of Twente. A simulation of the Java Virtual Machine using graph grammars
University of Twente Department of Computer Science A simulation of the Java Virtual Machine using graph grammars Master of Science thesis M. R. Arends, November 2003 A simulation of the Java Virtual Machine
More informationElevation of Mobile Security Risks in the Enterprise Threat Landscape
March 2014, HAPPIEST MINDS TECHNOLOGIES Elevation of Mobile Security Risks in the Enterprise Threat Landscape Author Khaleel Syed 1 Copyright Information This document is an exclusive property of Happiest
More informationWeb attacks and security: SQL injection and cross-site scripting (XSS)
Web attacks and security: SQL injection and cross-site scripting (XSS) License This work by Z. Cliffe Schreuders at Leeds Metropolitan University is licensed under a Creative Commons Attribution-ShareAlike
More informationAnalysis of advanced issues in mobile security in android operating system
Available online atwww.scholarsresearchlibrary.com Archives of Applied Science Research, 2015, 7 (2):34-38 (http://scholarsresearchlibrary.com/archive.html) ISSN 0975-508X CODEN (USA) AASRC9 Analysis of
More informationBypassing NoScript Security Suite Using Cross-Site Scripting and MITM Attacks
Bypassing NoScript Security Suite March 2016 Mazin Ahmed mazin@mazinahmed.net @mazen160 Table of Contents Abstract... 3 Introduction... 3 Research... 4 Solution... 7 Recommendations... 7 Notes... 7 Disclosure
More informationWeb Application security testing: who tests the test?
Web Application security testing: who tests the test? Ainārs Galvāns Application Penetration Tester www.exigenservices.lv About myself Functional testing Leading test group Reporting to client Performance
More informationDefending Against Cyber Attacks with SessionLevel Network Security
Defending Against Cyber Attacks with SessionLevel Network Security May 2010 PAGE 1 PAGE 1 Executive Summary Threat actors are determinedly focused on the theft / exfiltration of protected or sensitive
More informationTesting and Modeling Security Mechanisms in Web Applications
Testing and Modeling Security Mechanisms in Web Applications Tejeddine Mouelhi To cite this version: Tejeddine Mouelhi. Testing and Modeling Security Mechanisms in Web Applications. Software Engineering
More informationPhishing by data URI
Phishing by data URI Henning Klevjer henning@klevjers.com October 22, 2012 1 Abstract Historically, phishing web pages have been hosted by web servers that are either compromised or owned by the attacker.
More informationCyber Exploits: Improving Defenses Against Penetration Attempts
Cyber Exploits: Improving Defenses Against Penetration Attempts Mark Burnette, CPA, CISA, CISSP, CISM, CGEIT, CRISC, QSA LBMC Security & Risk Services Today s Agenda Planning a Cyber Defense Strategy How
More informationPreparing for the Cross Site Request Forgery Defense
Preparing for the Cross Site Request Forgery Defense Chuck Willis chuck.willis@mandiant.com Black Hat DC 2008 February 20, 2008 About Me Principal Consultant with MANDIANT in Alexandria, VA Full spectrum
More informationWEB 2.0 AND SECURITY
WEB 2.0 AND SECURITY February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without
More informationBM482E Introduction to Computer Security
BM482E Introduction to Computer Security Lecture 7 Database and Operating System Security Mehmet Demirci 1 Summary of Lecture 6 User Authentication Passwords Password storage Password selection Token-based
More informationCS 558 Internet Systems and Technologies
CS 558 Internet Systems and Technologies Dimitris Deyannis deyannis@csd.uoc.gr 881 Heat seeking Honeypots: Design and Experience Abstract Compromised Web servers are used to perform many malicious activities.
More informationIntegrating Security Testing into Quality Control
Integrating Security Testing into Quality Control Executive Summary At a time when 82% of all application vulnerabilities are found in web applications 1, CIOs are looking for traditional and non-traditional
More informationWeb Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure
Vulnerabilities, Weakness and Countermeasures Massimo Cotelli CISSP Secure : Goal of This Talk Security awareness purpose Know the Web Application vulnerabilities Understand the impacts and consequences
More informationTesting Tools Content (Manual with Selenium) Levels of Testing
Course Objectives: This course is designed to train the fresher's, intermediate and professionals on testing with the concepts of manual testing and Automation with Selenium. The main focus is, once the
More informationThe case for continuous penetration testing
The case for continuous penetration testing By Oliver Cromwell, OccamSec Knowing your risk In an ideal world, risk management for an organization would be based on complete knowledge of all the factors
More informationHow DataSunrise Helps to Comply with SOX, PCI DSS and HIPAA Requirements
How DataSunrise Helps to Comply with SOX, PCI DSS and HIPAA Requirements DataSunrise, Inc. https://www.datasunrise.com Note: the latest copy of this document is available at https://www.datasunrise.com/documentation/resources/
More information