Security of Web Applications and Browsers: Challenges and Solutions



Similar documents
WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

Detecting and Exploiting XSS with Xenotix XSS Exploit Framework

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

Application Security Testing

The Top Web Application Attacks: Are you vulnerable?

Hacking Web Apps. Detecting and Preventing Web Application Security Problems. Jorge Blanco Alcover. Mike Shema. Technical Editor SYNGRESS

Application security testing: Protecting your application and data

Web Application Security

Adobe Systems Incorporated

Finding and Preventing Cross- Site Request Forgery. Tom Gallagher Security Test Lead, Microsoft

Improving Web Application Security by Eliminating CWEs Weijie Chen, China INFSY 6891 Software Assurance Professor Dr. Maurice Dawson 15 December 2015

Adobe ColdFusion. Secure Profile Web Application Penetration Test. July 31, Neohapsis 217 North Jefferson Street, Suite 200 Chicago, IL 60661

CS 558 Internet Systems and Technologies

Bug Report. Date: March 19, 2011 Reporter: Chris Jarabek

IJMIE Volume 2, Issue 9 ISSN:

HOD of Dept. of CSE & IT. Asst. Prof., Dept. Of CSE AIET, Lko, India. AIET, Lko, India

Recommended Practice Case Study: Cross-Site Scripting. February 2007

Information Security for Modern Enterprises

Introduction: 1. Daily 360 Website Scanning for Malware

MWR InfoSecurity Security Advisory. pfsense DHCP Script Injection Vulnerability. 25 th July Contents

Six Essential Elements of Web Application Security. Cost Effective Strategies for Defending Your Business

HTTPParameter Pollution. ChrysostomosDaniel

SECURITY ADVISORY. December 2008 Barracuda Load Balancer admin login Cross-site Scripting

Enterprise-Grade Security from the Cloud

Magento Security and Vulnerabilities. Roman Stepanov

Threat Modeling. Categorizing the nature and severity of system vulnerabilities. John B. Dickson, CISSP

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

Web Vulnerability Scanner by Using HTTP Method

Network Security Testing using MMT: A case study in IDOLE project

elearning for Secure Application Development

Web application testing

Hack Proof Your Webapps

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

The Key to Secure Online Financial Transactions

Common Security Vulnerabilities in Online Payment Systems

A DYNAMIC TOOL FOR DETECTION OF XSS ATTACKS IN A REAL-TIME ENVIRONMENT

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Where every interaction matters.

ITU-IMPACT Training and Skills Development Course Catalogue

CMP3002 Advanced Web Technology

Streamlining Web and Security

ASL IT SECURITY BEGINNERS WEB HACKING AND EXPLOITATION

Rational AppScan & Ounce Products

Web application security: automated scanning versus manual penetration testing.

Ethical Hacking Penetrating Web 2.0 Security

Introduction to Web Application Security. Microsoft CSO Roundtable Houston, TX. September 13 th, 2006

Check list for web developers

BUILDING AN OFFENSIVE SECURITY PROGRAM BUILDING AN OFFENSIVE SECURITY PROGRAM

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith

Client vs. Server Implementations of Mitigating XSS Security Threats on Web Applications

Web Application Attacks and Countermeasures: Case Studies from Financial Systems

Managing Web Security in an Increasingly Challenging Threat Landscape

Hypervisor Security - A Major Concern

EVADING ALL WEB-APPLICATION FIREWALLS XSS FILTERS

Penetration Test Report

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

Website Security. End-to-End Application Security from the Cloud. Cloud-Based, Big Data Security Approach. Datasheet: What You Get. Why Incapsula?

What is Web Security? Motivation

Web Application Security 101

Web attacks and security: SQL injection and cross-site scripting (XSS)

Cracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH January 17, Mega Conference

Security Research Advisory IBM inotes 9 Active Content Filtering Bypass

EXECUTIVE BRIEF. IT and Business Professionals Say Website Attacks are Persistent and Varied. In this Paper

Braindumps.C questions

Contemporary Web Application Attacks. Ivan Pang Senior Consultant Edvance Limited

SECURE APPLICATION DEVELOPMENT CODING POLICY OCIO TABLE OF CONTENTS

A Novel Frame Work to Detect Malicious Attacks in Web Applications

TEAM Academy Catalog. 187 Ballardvale Street, Wilmington, MA

Defending against XSS,CSRF, and Clickjacking David Bishop

The Devils Behind Web Application Vulnerabilities

Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities

Web Application Security

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

Prevent Cross-site Request Forgery: PCRF

SAST, DAST and Vulnerability Assessments, = 4

Cross Site Scripting Prevention

Unit 3 Research Project. Eddie S. Jackson. Kaplan University. IT540: Management of Information Security. Kenneth L. Flick, Ph.D.

IBM Rational AppScan: Application security and risk management

Finding Your Way in Testing Jungle. A Learning Approach to Web Security Testing.

Pentests more than just using the proper tools

SQL INJECTION MONITORING SECURITY VULNERABILITIES IN WEB APPLICATIONS

A Survey on Security and Vulnerabilities of Web Application

EARLY DETECTION OF SQL INJECTION ATTACKS

Cross-Site Scripting

Integrating Web Application Security into the IT Curriculum

(WAPT) Web Application Penetration Testing

Transcription:

Security of Web Applications and Browsers: Challenges and Solutions A Tutorial Proposal for ACM SAC 2015 By Dr. Hossain Shahriar Department of Computer Science Kennesaw State University Kennesaw, GA 30144, USA Email: hshahria@kennesaw.edu ACM SAC 2015 Tutorial Proposal Page 1 of 5

1. Title: Security of Web Applications and Browsers: Challenges and Solutions 2. Duration: Half day, 3 hours 3. Abstract We rely on web applications to perform many useful activities. Despite the awareness have raised since the past decade on vulnerabilities commonly discovered in the implementation of web applications, we still observe the presence of known vulnerabilities today. Worse that the browser platforms are posing extra challenges through extended functionalities or light weight extension applications that can not only access data from visited webpages and local machines, but also transfer them to remote hosts controlled by hackers. Given that a solid understanding of both application and browser platform security is essential to tame the unsecured web. In this tutorial we will provide an overview of some common vulnerabilities for web applications and browsers, followed by some common techniques useful to combat against security threats. In particular, we will discuss some well-known implementation level vulnerabilities (e.g., SQL Injection, Cross-Site Scripting, Clickjacking) along with a popular mitigation approach known as security testing. We then focus our discussion on the browser platform and explore some of its supported features for extension applications with their capabilities. We will highlight vulnerabilities arise from extensions followed by exploring malware extensions. Finally, we discuss some practices to securely implementing browser extensions and combat against malware extensions. 4. Motivation, target audience, and interest for the SAC community Most of discovered security breaches reported in various surveys (e.g., OWASP) have been shown to be related to implementation level weakness and some of the supported features of the underlying browser. The consequence of vulnerabilities could result in unwanted consequences such as bypassing of legitimate login procedure, hijacking of session information, deletion or alteration of sensitive data, execution of arbitrary code supplied by hackers, and passing of sensitive information to unwanted third parties. Given that this tutorial is intended to raise awareness and guide practitioners to prevent the consequences. The tutorial is intended for application designers and developers, security testers, security researchers, scientists, and graduate students. As the tutorial is addressing one of the most emerging and crucial issues in security and quality assurance, it demonstrates an extremely high degree of relevance and addresses a broad spectrum of potential attendees of ACM SAC 2015. The tutorial will benefit related stakeholders to understand the most common program security vulnerabilities. Moreover, it will allow relevant professionals to apply appropriate vulnerability mitigation techniques. 5. Outline of the tutorial The tutorial consists of three major parts. In the first part, we briefly discuss some of the most common vulnerabilities that are widely discovered in programs. We provide an idea on how the exploitations of four commonly discovered web security vulnerabilities (SQL injection, Crosssite scripting, Cross-site request forgery, clickjacking) can lead to many unwanted behaviors such as login bypassing. ACM SAC 2015 Tutorial Proposal Page 2 of 5

In the second part, we introduce the vulnerability detection process based on testing approach. We explore both black box and white box approaches. In particular, our discussion will focus on some key aspects to conduct the testing process such as test case generation method, source of test case, test case granularity, and vulnerability coverage. We discuss some of test case generation techniques in details followed by open issues. In the third part, we discuss the browser structure, particularly focusing on Mozilla, an open source browser widely used today. We provide an introduction of browser extension concept, outlining structure, with supporting application examples. We discuss vulnerabilities that may arise in extensions and show how they can be exploited. We then discuss malware extensions that can perform unwanted activities without the knowledge of the uses. Finally, we discuss some common programming practices that can be applied to prevent vulnerabilities in extensions as well as approaches to detect and prevent malware extensions. For each of the part, we provide estimated duration, subtopics as below in structure of contents followed by a list of the most relevant literatures. Structure of Contents Introduction (10 min) o Motivation and background Web application vulnerabilities (Part 1: 45 min) o SQL Injection o Cross-Site Scripting o Cross-Site Request Forgery o Clickjacking Security testing (Part 2: 40 min) o Taxonomy of web security testing o Test case generation technique o Static analysis based security testing Browser Vulnerabilities (Part 3: 45 min) o Browser security model and extension o Vulnerable and malware extension o Prevention and solutions Summary (10 min) References 1. H. Shahriar, K. Weldemariam, M. Zulkernine, and T. Lutellier, Effective detection of vulnerable and malicious browser extensions, Computers & Security, June 2014, Elsevier Science (to appear). 2. H. Shahriar, V. Devendran, and H. Haddad, "ProClick: A Framework for Testing Clickjacking Attacks in Web Applications," To appear in Proc. of 6 th ACM/SIGSAC International Conference on Security of Information and Networks (SIN 2013), Aksaray, Turkey, November 2013, pp. 144-151. ACM SAC 2015 Tutorial Proposal Page 3 of 5

3. H. Shahriar and M. Zulkernine, Mitigation of Program Security Vulnerabilities: Approaches and Challenges, ACM Computing Surveys (CSUR), Vol. 44, No. 3, Article 11, pp. 1-46, May 2012. 4. H. Shahriar and M. Zulkernine, Trustworthiness Testing of Phishing Websites: A Behavior Model-based Approach, Future Generation Computer Systems, Vol. 28, Issue 8, October 2012, pp. 1258-1271. 5. H. Shahriar and M. Zulkernine, Taxonomy and Classification of Automatic Monitoring of Program Security Vulnerability Exploitations, Journal of Systems and Software, Elsevier Science, Vol. 84, Issue 2, February 2011, pp. 250-269. 6. H. Shahriar and M. Zulkernine, S 2 XS 2 : A Server Side Approach to Automatically Detect XSS Attacks, Proc. of the 9 th IEEE International Conference on Dependable, Autonomic and Secure Computing (DASC), Sydney, Australia, December 2011, pp. 7-14. 7. H. Shahriar and M. Zulkernine, Client-Side Detection of Cross-Site Request Forgery Attacks, Proc. of the 21 st IEEE International Symposium on Software Reliability Engineering (ISSRE), San Jose, USA, November 2010, pp. 358-367. 6. Specific goals and learning objectives After completing the tutorial, the participants are expected to do the followings: Explain the cause of web application security vulnerabilities and demonstrate the consequence of vulnerabilities with attack payloads, and generate new attack payloads Explain various features of browsers and extension, and develop small extensions having vulnerabilities, followed by exploiting them with suitable test cases Follow some secure programming principles to prevent vulnerabilities Choose appropriate defense techniques to detect vulnerabilities in applications and malware extensions Follow the best practices for deploying web applications and configuring browsers 7. Expected background of the audience Participants are expected to have some familiarity with languages for web application development including HTML, JavaScript, PHP, JSP, and XML. 8. Presenter bios Dr. Hossain Shahriar is currently an Assistant Professor of Computer Science at Kennesaw State University, Georgia, USA. His research interests include software security, web application security, software testing, mobile application security, and malware analysis. Dr. Shahriar is an expert on application security testing with extensive publications and industry experience. His research has attracted a number of awards including IEEE DASC 2011 Best Paper Award, Outstanding PhD Research Achievement Award 2011, and IEEE Kingston Section Research Excellence Award 2008. Dr. Shahriar presented tutorials in ACM SAC 2011 and IEEE ISSRE 2012, and has been invited to present a tutorial on web application security issues in ACM/SIGSAC SIN 2013. He has served as PC member in various international conferences related to computer and software security such as ACM SAC 2014 (Computer Security Track), ACM SAC 2015 Tutorial Proposal Page 4 of 5

ACM/SIGSAC SIN 2014, and IEEE ITNG 2014. He is also serving as an associate editor of the International Journal of Secure Software Engineering. Dr. Shahriar is currently a member of the ACM, ACM SIGAPP, and IEEE. 9. Audio Visual equipment needed for the presentation Projector for power point slide show would be sufficient. 10. Teaching materials on the topic by the presenter a. Tutorial in International Conference 1. Mitigation of Program Security Vulnerabilities: Approaches and Challenges, In ACM SAC 2014, Gyeongju, South Korea. 2. Security Vulnerabilities and Mitigation Techniques of Web Applications, In ACM/SIGSAC SIN 2013, Aksaray, Turkey. 3. Mitigation of Program Security Vulnerabilities: Approaches and Challenges, In IEEE ISSRE 2012, Dallas, TX, USA. 4. Mitigation of Program Security Vulnerabilities: Approaches and Challenges, In ACM SAC 2011, Taichung, Taiwan, March 2011. b) Invited talk/guest speaker seminar 1. Web Application Security Vulnerability: Mitigation Approaches and Challenges, CIISE, Concordia University, Quebec, Canada, February 2013. 2. Web Security Vulnerabilities: Challenges, Approaches, and Future, The School of Informatics, The University of Edinburgh, Scotland, UK, March 2012. 3. Web Security, School of Computing (Guest Lecture Seminar), Queen s University, Canada, November 2010. c) Academic courses 1. Computing Security (CS6040), Kennesaw State University, GA, USA. 2. Theory of Networking & Security (CS3550), Kennesaw State University, GA, USA. 3. Secure Software Development (CS4550), Kennesaw State University, GA, USA. ACM SAC 2015 Tutorial Proposal Page 5 of 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information