Presentation is loading. Please wait.

Presentation is loading. Please wait.

Marking Scheme for Semantic-aware Web Application Security

Published byWalter Mathews Modified over 6 years ago

Similar presentations

Presentation on theme: "Marking Scheme for Semantic-aware Web Application Security"— Presentation transcript:

1 Marking Scheme for Semantic-aware Web Application Security
HPC Lab., POSTECH, Korea Tae Hyung Kim

2 Contents Introduction Problem Definition Background Marking Scheme Implementation Discussion Conclusion

3 Introduction(1/2) Nearly most of web applications are security critical, but only a small fraction of deployed web applications can afford a detailed security review. For securing web applications, there are several approaches under research: Input and output filtering Web application firewall Automated testing Vulnerability scanner Diversity Defense (against code-injection attacks) Instruction-Set Randomization Information flow security Checking integrity of data from untrusted sources

4 Introduction(2/2) Especially, many companies and researchers try to develop application firewalls for a web application. Those firewalls are based on a positive model for web applications, because a rule-based firewall needs extra attention to update rules periodically. However, it is difficult to make a good positive model owing to lack of understanding web application semantics.

5 Problem Definition Lack of understanding the web application semantics degrades web application firewalls: many false positive, false negative and overhead in a detection process. We propose a new scheme to make security systems or modules aware the semantics of the web application.

6 OWASP Top Ten Vulnerabilities
Background Unvalidated input Cross site scripting (XSS) Injection flows Buffer overflows Broken auth. and session management account Broken access control Improper error handling Denial of service Insecure storage Insecure configuration Type 1: Injection Type 2: Poisoning Type 3: etc. * OWASP: Open Web Application Security Project

7 Web Attack Analysis Conditions for exploiting a web system
Background Conditions for exploiting a web system A parameter to insert malicious codes A vulnerable source that process the parameter Improper configurations in environment ( optional ) Attacks are initiated by fabricating a parameter and the parameter is placed in the requested URL or HTTP header. We can quarantine web attacks by restricting data for the parameter and by checking that.

8 Marking Scheme Markers within parameters of web sources. Markers
Login.htm <form action="ExecLogin.asp" method="post"> Username: <input type="text" name=“p_Username"><br> Passwd: <input type="password" name=“pn_Passwd"><br> <input type="submit"> </form> ExecLogin.asp <% Dim p_strUsername, p_strPassword, objRS, strSQL p_strUsername = Request.Form(“p_Username") p_strPassword = Request.Form(“pn_Passwd") strSQL = "SELECT * FROM tblUsers " & _ "WHERE Username='" & p_strUsername & _ "' and Password='" & p_strPassword & "'" Set objRS = Server.CreateObject("ADODB.Recordset") objRS.Open strSQL, "DSN=..." If (objRS.EOF) Then Response.Write "Invalid login." Else Response.Write "You are logged in as " & objRS("Username") End If Set objRS = Nothing %> Markers within parameters of web sources. Markers For input restriction p_ : plain alphabet only n_ : number only w_ : white space s_ : special characters lxx_: max length For integrity check xxx_cookieName xxx: random number

9 Architecture Marking Scheme(2/4) Web Firewall User Web Server
Input Validation web application with marked parameters. Integrity Check

10 Defense of Injection Attacks
Marking Scheme(3/4) Web Server Web Firewall Network Normal User URL request: Attacker (1) Parse requested URL (2) Throw parsed parameters to each checking module. (3) If all modules say O.K., then pass the request. (4) If not, drop the packet

11 Defense of Cookie Poisoning
Marking Scheme(4/4) 111_cookie:aaa 222_cookie:bbb 333_cookie:ccc (1)Cookie names are marked with a random number (3)-1 normal (3)-2 poisoning Web Firewall Web Server Network Normal User (2) Store a number-hashValue pair 111,hash(aaa) Memory Attacker (4) Check a number-hashValue pair If there exists the pair, then pass the request. If not, drop it

12 Web Page Conversion Tool
Implementation Web Page Conversion Tool Web Application Firewall Implemented on Linux Based on the “mod security for apache” WPC tool :GUI-based Web page Marked web page User

13 Adapting Marking Scheme to other Application
Discussion Adapting Marking Scheme to other Application *Syntax-aware (including protocol) *Semantic-aware *capable to check integrity Security System Guiding information: Marker, Protocol Attacker Application (1) (2) Normal User

14 Conclusion We propose a new security scheme for securing web application. This scheme makes the application firewall filtering malicious packets easily and efficiently by helping it aware the semantics of web application. As a future work, we are required to implement the WPC tool and realize the firewall in detail. And also we need more experiments for improving our scheme.

Download ppt "Marking Scheme for Semantic-aware Web Application Security"

Similar presentations

Webgoat.

Webgoat.
Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Application Security: What Does it Take to Build and Test a “Trusted” App? John Dickson, CISSP Denim Group.

Application Security: What Does it Take to Build and Test a “Trusted” App? John Dickson, CISSP Denim Group.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Web Application Security An Introduction. OWASP Top Ten Exploits *Unvalidated Input Broken Access Control Broken Authentication and Session Management.

Web Application Security An Introduction. OWASP Top Ten Exploits *Unvalidated Input Broken Access Control Broken Authentication and Session Management.
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
“Today over 70% of attacks against a company’s network come at the ‘Application Layer’ not the Network or System layer.” - Gartner Is Your Web Application.

“Today over 70% of attacks against a company’s network come at the ‘Application Layer’ not the Network or System layer.” - Gartner Is Your Web Application.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.

Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
The 10 Most Critical Web Application Security Vulnerabilities

The 10 Most Critical Web Application Security Vulnerabilities
Web Application Attacks ECE 4112 Fall 2007 Group 9 Zafeer Khan & Simmon Yau.

Web Application Attacks ECE 4112 Fall 2007 Group 9 Zafeer Khan & Simmon Yau.
Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department

Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department
Web Application Security

Web Application Security
By: Razieh Rezaei Saleh.  Security Evaluation The examination of a system to determine its degree of compliance with a stated security model, security.

By: Razieh Rezaei Saleh.  Security Evaluation The examination of a system to determine its degree of compliance with a stated security model, security.
Testing Tools. Categories of testing tools Black box testing, or functional testing Testing performed via GUI. The tool helps in emulating end-user actions.

Testing Tools. Categories of testing tools Black box testing, or functional testing Testing performed via GUI. The tool helps in emulating end-user actions.
HTTP and Server Security James Walden Northern Kentucky University.

HTTP and Server Security James Walden Northern Kentucky University.

Similar presentations

Ads by Google