ZigZag: Automatically Hardening Web Applications Against Client-side Validation Vulnerabilities Presented by Xianchen Meng CSCI 680 Advanced System and.

Slides:

Advertisements

Similar presentations

Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.

Advertisements

Part 2 Authors: Marco Cova, et al. Presented by Brett Parker.

Bypassing Client-Side Protection CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University

Applet Security Gunjan Vohra. What is Applet Security? One of the most important features of Java is its security model. It allows untrusted code, such.

Current Security Threats WMO CBS ET-CTS Toulouse, France May 2008 Allan Darling, NOAA’s National Weather Service WMO CBS ET-CTS Toulouse, France.

An Evaluation of the Google Chrome Extension Security Architecture

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

SOFTWARE SECURITY JORINA VAN MALSEN 1 FLAX: Systematic Discovery of Client-Side Validation Vulnerabilities in Rich Web Applications.

1 A Privacy-Preserving Defense Mechanism Against Request Forgery Attacks Ben S. Y. Fung and Patrick P. C. Lee The Chinese University of Hong Kong TrustCom’11.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

Nozzle: A Defense Against Heap-spraying Code Injection Attacks Paruj Ratanaworabhan, Cornell University Ben Livshits and Ben Zorn, Microsoft Research (Redmond,

1 Document Structure Integrity: A Robust Basis for Cross-Site Scripting Defense Prateek Saxena UC Berkeley Yacin Nadji Illinois Institute Of Technology.

XP Tutorial 9 New Perspectives on JavaScript, Comprehensive1 Working with Cookies Managing Data in a Web Site Using JavaScript Cookies.

Computer Security and Penetration Testing

Office 365 Platform Flexible Tools App Manifest Web Page HTML/CSS/JS App.

Jarhead Analysis and Detection of Malicious Java Applets Johannes Schlumberger, Christopher Kruegel, Giovanni Vigna University of California Annual Computer.

Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)

FORESEC Academy FORESEC Academy Security Essentials (II)

CSCI 6962: Server-side Design and Programming Course Introduction and Overview.

Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David.

Validation Controls. Validation Server Controls These are a special type of Web server control. They significantly reduce some of the work involved in.

SQL INJECTION COUNTERMEASURES &

Preventing SQL Injection Attacks in Stored Procedures Alex Hertz Chris Daiello CAP6135Dr. Cliff Zou University of Central Florida March 19, 2009.

Robust Defenses for Cross-Site Request Forgery CS6V Presented by Saravana M Subramanian.

Exploitation: Buffer Overflow, SQL injection, Adobe files Source:

Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 5 “Database and Cloud Security”.

Computer Security and Penetration Testing

Lecture 16 Page 1 CS 236 Online SQL Injection Attacks Many web servers have backing databases –Much of their information stored in a database Web pages.

nd Joint Workshop between Security Research Labs in JAPAN and KOREA Profile-based Web Application Security System Kyungtae Kim High Performance.

CSCD 434 Network Security Spring 2014 Lecture 1 Course Overview.

CSC-682 Cryptography & Computer Security Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Pompi Rotaru Based on an article.

Secure Credential Manager Claes Nilsson - Sony Ericsson

Defending Browsers against Drive-by Downloads:Mitigating Heap-Spraying Code Injection Attacks Authors:Manuel Egele, Peter Wurzinger, Christopher Kruegel,

Attacking Data Stores Brad Stancel CSCE 813 Presentation 11/12/2012.

Buffer Overflow Defenses. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Buffer Overflow Defenses Author:

Practical Byzantine Fault Tolerance

Beyond negative security Signatures are not always enough Or Katz Trustwave ot.com/

1 Swaddler: An Approach for the Anomaly-based Detection of State Violations in Web Application Marco Cova, Davide Balzarotti, Viktoria Felmetsger, and.

Web Logic Vulnerability By Eric Jizba and Yan Chen With slides from Fangqi Sun and Giancarlo Pellegrino.

Information Security What is Information Security?

Security Attacks CS 795. Buffer Overflow Problem Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program.

Software Security Without The Source Code By Matt Hargett.

Lecture 16 Page 1 CS 236 Online Web Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

Nexthink V5 Demo Security – Malicious Anomaly. Situation › Avoid damage resulting from the incident itself and the cost of the unplanned response › Protection.

Lecture 5 User Authentication modified from slides of Lawrie Brown.

Protecting Browsers from Extension Vulnerabilities Paper by: Adam Barth, Adrienne Porter Felt, Prateek Saxena at University of California, Berkeley and.

Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.

Polygraph: Automatically Generating Signatures for Polymorphic Worms Presented by: Devendra Salvi Paper by : James Newsome, Brad Karp, Dawn Song.

Computer Security By Duncan Hall.

Module: Software Engineering of Web Applications Chapter 3 (Cont.): user-input-validation testing of web applications 1.

Automatic and Precise Client-Side Protection against CSRF Attacks.

Effective Anomaly Detection with Scarce Training Data Presenter: 葉倚任 Author: W. Robertson, F. Maggi, C. Kruegel and G. Vigna NDSS

Application Communities Phase 2 (AC2) Project Overview Nov. 20, 2008 Greg Sullivan BAE Systems Advanced Information Technologies (AIT)

Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure Paper By : V.T.Lam, S.Antonatos, P.Akritidis, K.G.Anagnostakis Conference : ACM.

MIT/Determina Application Communities, page 1 Approved for Public Release, Distribution Unlimited - Case 9649 Collaborative learning for security and repair.

Tutorial 6 Creating a Web Form

By: Chuqing He. Android Overview - Purchased by Google in First Android Phone was sold in Oct Linux-based - Holds 75% of the worldwide.

Constraint Framework, page 1 Collaborative learning for security and repair in application communities MIT site visit April 10, 2007 Constraints approach.

HIPS. Host-Based Intrusion Prevention Systems  One of the major benefits to HIPS technology is the ability to identify and stop known and unknown attacks,

Database and Cloud Security

Buffer Overflow Defenses

Module: Software Engineering of Web Applications

Chapter 7: Identifying Advanced Attacks

World Wide Web policy.

Article Authors – Oleksii Starov & Nick Nikiforakas

SSOScan: Automated Testing of Web Applications for Single Sign-On Vulnerabilities Yuchen Zhou, and David Evans 23rd USENIX Security Symposium, August,

Cross-Site Request Forgeries: Exploitation and Prevention

Detecting Targeted Attacks Using Shadow Honeypots

Exploring DOM-Based Cross Site Attacks

Presentation transcript:

ZigZag: Automatically Hardening Web Applications Against Client-side Validation Vulnerabilities Presented by Xianchen Meng CSCI 680 Advanced System and Network Security

Background URLResultReason Success Success FailedDifferent protocol FailedDifferent port FailedDifferent domain

Background Image from:

Background Image from:

 While this provides much greater flexibility to application developers, it also opens the door for vulnerabilities to be introduced into web applications due to insufficient origin checks or other programming mistakes. Background

Image from:

Background Image from: function listener(event){ if (event.origin.indexOf("domain.test") != -1){ eval(event.data); } Developer must verify origin correctly "domain.test.attacker.com"

Outline  Background  Motivation Example of webmail service  System overview Learning phrase Enforcement phrase  Invariant Detection and Enforcement  Program Generalization  Evaluation  Quiz

Motivation example

domain.test.attacker.comdomain.test

Motivation example domain.test.attacker.comdomain.test

Motivation example domain.test.attacker.comdomain.test Cookie leak

Goal  Secure JavaScript Apps Harden the buggy Apps the app like before: benign but buggy Fully automatic no developer interaction Detection /defense in browser alone no modification on browser Prevent unknown vulnerabilities

Zigzag overview  Anomaly detection system preventing CSV attacks  Instrumentation of client-side JavaScript  Generates model of benign behavior  Two phases Learning of benign behavior Prevent attacks

Learning Phrase Image from:

Learning Phrase Image from:

Learning Phrase Image from:

Learning Phrase Image from:

Learning Phrase Image from:

Learning Phrase Image from:

Learning Phrase Image from:

Enforcement Phrase Image from:

Enforcement Phrase Image from:

Enforcement Phrase Image from:

Enforcement Phrase Image from:

Enforcement Phrase Image from:

Enforcement Phrase Image from:

Enforcement Phrase Image from:

Invariant Detection Invariants supported by ZigZag

Invariant Detection Univariate invariants Multivariate invariants the length of a string the percentage of printable characters in a string the parity of a number x == y x+5 == y x < y

Instrumentation Details Image from:

Enforcement Details

Program Generalization

Programs differ, but AST is similar

Limitations  The system was not designed to be stealthy or protect its own integrity if an attacker manages to gain JavaScript code execution in the same origin.If attackers were able to perform arbitrary JavaScript commands, any kind of in-program defense would be futile without support from the browser.  anomaly detection relies on a benign training set of sufficient size to represent the range of runtime behaviors that could occur. If the training set contains attacks, the resulting invariants might be prone to false negatives.

Evaluation  Four real-world vulnerable sites  Synthetic webmail application  Attacks caught  Functionality retained

Performance Median overhead: 2.01s

Performance Median overhead: 112%

Performance 0.66ms overhead

Contributions  In-browser anomaly detection system for hardening against previously unknown CSV vulnerabilities  Invariant patching: extending invariant detection to server-side templates

Quiz:  1.What are the two phrases of Zigzag?  2.What are the basic processes of Zigzag?  3.What are the two limitations the author mentioned of Zigzag?