Web Logic Vulnerability By Eric Jizba and Yan Chen With slides from Fangqi Sun and Giancarlo Pellegrino.

Slides:

Advertisements

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Advertisements

Detecting Logic Vulnerabilities in E- Commerce Applications FANGQI SUN, LIANG XU, ZHENDONG SU UNIVERSITY OF CALIFORNIA, DAVIS NDSS (FEBRUARY,2014) 1.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Part 2 Authors: Marco Cova, et al. Presented by Brett Parker.

JShield: Towards Real-time and Vulnerability-based Detection of Polluted Drive-by Download Attacks Yinzhi Cao*, Xiang Pan**, Yan Chen** and Jianwei Zhuge***

SACM Terminology Nancy Cam-Winget, David Waltermire, March.

CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.

SOFTWARE SECURITY JORINA VAN MALSEN 1 FLAX: Systematic Discovery of Client-Side Validation Vulnerabilities in Rich Web Applications.

DT211/3 Internet Application Development JSP: Processing User input.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

1 Advanced Material The following slides contain advanced material and are optional.

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

1 Detecting Logic Vulnerabilities in E- Commerce Applications Presenter: Liu Yin Slides Adapted from Fangqi Sun Computer Science Department College of.

PCI's Changing Environment – “What You Need to Know & Why You Need To Know It.” Stephen Scott – PCI QSA, CISA, CISSP

Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.

Web-based Portal for Discovery, Retrieval and Visualization of Earth Science Datasets in Grid Environment Zhenping (Jane) Liu.

Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.

Vetting SSL Usage in Applications with SSLINT

Cloud Computing Cloud Security– an overview Keke Chen.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 18 Slide 1 Software Reuse.

WAPTEC: Whitebox Analysis of Web Applications for Parameter Tampering Exploit Construction Prithvi Bisht ( + Timothy Hinrichs*

Protecting Web 2.0 Services from Botnet Exploitations Cybercrime and Trustworthy Computing Workshop (CTC), 2010 Second Nguyen H Vo, Josef Pieprzyk Department.

Project Proposal Interface Design Website Coding Website Testing & Launching Website Maintenance.

Aspera License Management –

Web Application Security Testing Automation.. Copyright © 2008 Deloitte Touche Tohmatsu. All rights reserved.1 What types of automated testing are there?

Security Testing Case Study 360logica Software Testing Services.

ZigZag: Automatically Hardening Web Applications Against Client-side Validation Vulnerabilities Presented by Xianchen Meng CSCI 680 Advanced System and.

CSC-682 Cryptography & Computer Security Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Pompi Rotaru Based on an article.

Secure Credential Manager Claes Nilsson - Sony Ericsson

Case Study: Interspire and PayPal Express. Case: Interspire and PayPal Express Interspire is an eCommerce merchant software Can be integrated with PayPal.

1 CHAPTER 2 LAWS OF SECURITY. 2 What Are the Laws of Security Client side security doesn’t work Client side security doesn’t work You can’t exchange encryption.

An Ad Hoc Writable Rule Language for White-Box Security Scanners Author:Sebastian Schinzel Referent:Prof. Dr. Alexander del Pino Korreferent:Prof. Dr.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 22 Slide 1 Software Verification, Validation and Testing.

Automatically Repairing Broken Workflows for Evolving GUI Applications Sai Zhang University of Washington Joint work with: Hao Lü, Michael D. Ernst.

1 Swaddler: An Approach for the Anomaly-based Detection of State Violations in Web Application Marco Cova, Davide Balzarotti, Viktoria Felmetsger, and.

Software Security Without The Source Code By Matt Hargett.

THE DEVIL IS IN THE (IMPLEMENTATION) DETAILS: AN EMPIRICAL ANALYSIS OF OAUTH SSO SYSTEMS SAN-TSAI SUN & KONSTANTIN BEZNOSOV PRESENTED BY: NAZISH KHAN COMPSCI.

Yuchen Zhou and David Evans Presented by Simon du Preez Compsci 726 SSOScan: Automated Testing of Web Applications for Single Sign-On Vulnerabilities.

By Davide Balzarotti Marco Cova Viktoria V. FelmetsgerGiovanni Vigna Presented by: Mostafa Saad.

nd Joint Workshop between Security Research Labs in JAPAN and KOREA Polymorphic Worm Detection by Instruction Distribution Kihun Lee HPC Lab., Postech.

Introduction Program File Authorization Security Theorem Active Code Authorization Authorization Logic Implementation considerations Conclusion.

Mapping web applications Note: Unless noted differently, all scanned figures were from the textbook, Stuttard & Pinto, 2011.

EECS 354: Network Security Group Members: Patrick Wong Eric Chan Shira Schneidman Web Attacks Project: Detecting XSS and SQL Injection Vulnerabilities.

User Authentication  fundamental security building block basis of access control & user accountability  is the process of verifying an identity claimed.

Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.

CS 5150 Software Engineering Lecture 22 Reliability 3.

Lect5.ppt - 02/23/06 CIS 4100 Systems Performance and Evaluation Lecture 6 by Zornitza Genova Prodanoff.

SOFTWARE TESTING AND QUALITY ASSURANCE. Software Testing.

Heat-seeking Honeypots: Design and Experience John P. John, Fang Yu, Yinglian Xie, Arvind Krishnamurthy and Martin Abadi WWW 2011 Presented by Elias P.

Eric Van Horn Cosc 356.  Nearly every organization in todays era uses computers and a network to send, receive, and store information  Very important.

TEMPLATE DESIGN © Automatic Classification of Parameters and Cookies Ali Reza Farid Amin 1, Gregor v. Bochmann 1, Guy-Vincent.

Internet Quarantine: Requirements for Containing Self-Propagating Code

Cloud Security– an overview Keke Chen

Key Points Unfolding the Situations to Drill a Framework in PHP

Static Detection of Cross-Site Scripting Vulnerabilities

Avraham Leff James T. Rayfield IBM T.J. Watson Research Center

What is REST API ? A REST (Representational State Transfer) Server simply provides access to resources and the REST client accesses and presents the.

Deemon: Detecting CSRF with Dynamic Analysis and Property Graphs

SSOScan: Automated Testing of Web Applications for Single Sign-On Vulnerabilities Yuchen Zhou, and David Evans 23rd USENIX Security Symposium, August,

HTML Level II (CyberAdvantage)

11/17/2018 9:32 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.

Multi-party Authentication in Web Services

CSCE 813 Internet Security Fall 2012

Logic: tool-based modeling and reasoning

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems

SESSION 11: DATA COLLECTION WITH THE INTERNET

Presentation transcript:

Web Logic Vulnerability By Eric Jizba and Yan Chen With slides from Fangqi Sun and Giancarlo Pellegrino

Outline  Background and Motivation  Related Work  Whitebox approach  Detecting Logic Vulnerabilities in E-Commerce Applications  Fangqi Sun, Liang Xu, Zhendong Su  Blackbox approach  Toward Black-box Detection of Logic Flaws in Web Applications  Giancarlo Pellegrino, Davide Balzarotti

Background and motivation

Design Verification BrowserID SSO Analysis  Daniel Fett, Ralf Ku ̈ sters, and Guido Schmitz created expressive model for web infrastructure  Manual analysis: more comprehensive and accurate  Discovered logic vulnerability in BrowserID  Allows attacker to sign-in to any service that supports BrowserID using the address of any user without know their credentials  Proposed fix adopted by Mozilla simply involves verifying the address is correct

Blackbox Approach InteGuard: Web Service Integration Security  Third party APIs are more and more popular  SSO, Cashier Services, Maps, Search, etc.  Key Insight: most web APIs require small number of simple input parameters that are usually set by the user  InteGuard looks at web traffic between the app and third part service to analyze invariants (e.g. orderID, price)  Does not require source code  Mostly automatic  Cannot handle more complex invariant relations (such as the relation between signed content and its signature)

Blackbox Approach Parameter Pollution Vulnerabilities  Related to Logic Vulnerabilities  Generally does not analyze logic flow, just parameters in isolation  NoTamper detects insufficient server-side validations where the server fails to replicate validations on the client side  PAPAS uses a blackbox scanning technique for vulnerable parameters

Related Work

Whitebox Approach Basic Problem

Whitebox Approach Main Ideas

Whitebox Approach Evaluation and Results

Open Issues  Cannot identify all logic vulnerabilities  Does not support JavaScript analysis  Limited analysis of dynamic language features

Questions?

Blackbox Approach Basic Problem

Blackbox Approach Main Ideas

Blackbox Approach Evaluation and Results

Open Issues  Only tests attacks through data flow and workflow  E.g. does not test unauthorized access to resources  Automation favors efficiency over coverage

Questions?