j k using dynamic analysis to crawl and test modern web
play

jk: Using Dynamic Analysis to Crawl and Test Modern Web Applications - PowerPoint PPT Presentation

Oct 25, 2023 •265 likes •732 views

jk: Using Dynamic Analysis to Crawl and Test Modern Web Applications Giancarlo Pellegrino (1) , Constantin Tschrtz (2) , Eric Bodden (2) , and Christian Rossow (1) 18th International Symposium on Research in Attacks, Intrusions and Defenses

  1. jÄk: Using Dynamic Analysis to Crawl and Test Modern Web Applications Giancarlo Pellegrino (1) , Constantin Tschürtz (2) , Eric Bodden (2) , and Christian Rossow (1) 18th International Symposium on Research in Attacks, Intrusions and Defenses November 3rd, Kyoto, Japan (1) CISPA, Saarland University, Germany (2) Fraunhofer SIT / TU Darmstadt, Germany

  2. Web Application Scanners  (Semi-)automated security testing tools  Follow a dynamic and black-box testing approach Nov. 3, 2016

  3. Web Application Scanners  (Semi-)automated security testing tools  Follow a dynamic and black-box testing approach Nov. 3, 2016

  4. Architecture Crawler Module Attacker Module Analysis Module Nov. 3, 2016

  5. Crawler Seed URL http://shop.foo http://shop.foo Nov. 3, 2016

  6. Crawler http://shop.foo <html> <head> <title>Online shopping</title> </head> <body> <a href=”/contacts”>Contacts</a> <form action=”/search”> <input type=”text” name=”q”/> <input type=”submit”/> </form> </body> </html> Nov. 3, 2016

  7. Crawler http://shop.foo <html> <head> <title>Online shopping</title> </head> <body> <a href=”/contacts”>Contacts</a> <form action=”/search”> <input type=”text” name=”q”/> <input type=”submit”/> </form> </body> </html> New URL Nov. 3, 2016

  8. Crawler http://shop.foo <html> <head> <title>Online shopping</title> </head> <body> <a href=”/contacts”>Contacts</a> <form action=”/search”> <input type=”text” name=”q”/> <input type=”submit”/> </form> </body> </html> New search HTML form Nov. 3, 2016

  9. Crawler Next? http://shop.foo/contacts Nov. 3, 2016

  10. Crawler http://shop.foo/contacts <html> <head> <title>Contact Page</title> </head> <body> <form action=”/comments”> <input type=”text” name=”msg”/> <input type=”submit”/> </form> </body> </html> New HTML form Nov. 3, 2016

  11. Security Testing XSS payload SQL payload XSS payload SQL payload <form action=”/search”> shop.foo Tests == Attacks <input type=”text” name=”q”/> <input type=”submit”/> </form> Responses ? Nov. 3, 2016

  12. Crawler Critical for Coverage  Crawler explores the Web application attack surface ● Missing parts → missing possible vulnerabilities  Existing crawlers based on: ● HTML parsing and pattern matching to extract URLs ● “clickable” areas to further explore the surface Nov. 3, 2016

  13. Crawler and Modern Web Applications  Complexity of client side has dramatically increased (i.e., stateful JS programs) Nov. 3, 2016

  14. Crawler and Modern Web Applications  Complexity of client side has dramatically increased (i.e., stateful JS programs)  Links and forms can be built and inserted in the webpage at run-time var url = scheme() + '://' + domain() + '/' + endpoint(); document.getElementByID('myLink').href = url; ➔ HTML parsing and pattern matching no longer sufficient Nov. 3, 2016

  15. Crawler and Modern Web Applications  Complexity of client side has dramatically increased (i.e., stateful JS programs)  Links and forms can be built and inserted in the webpage at run-time var url = scheme() + '://' + domain() + '/' + endpoint(); document.getElementByID('myLink').href = url; ➔ HTML parsing and pattern matching no longer sufficient  JS is an event-driven language click generate URLs/HTML form mouse movement register new events timeout Ajax requests Ajax response received ● Functions executed upon events ➔ Lack of support of event-based execution model Nov. 3, 2016

  16. Crawler and Modern Web Applications  Complexity of client side has dramatically increased (i.e., stateful JS programs)  Links and forms can be built and inserted in the webpage at run-time var url = scheme() + '://' + domain() + '/' + endpoint(); document.getElementByID('myLink').href = url; ➔ HTML parsing and pattern matching no longer sufficient  JS is an event-driven language click generate URLs/HTML form mouse movement register new events timeout Ajax requests Ajax response received ● Functions executed upon events ➔ Lack of support of event-based execution model Large part of web applications remain unexplored! Large part of web applications remain unexplored! Nov. 3, 2016

  17. Crawler and Modern Web Applications  Complexity of client side has dramatically increased (i.e., stateful JS programs)  Links and forms can be built and inserted in the webpage at run-time var url = scheme() + '://' + domain() + '/' + endpoint(); document.getElementByID('myLink').href = url;  We addressed the coverage problem with ➔ HTML parsing and pattern matching no longer sufficient ● JavaScript client side dynamic analysis  JS is an event-driven language ● Model-based Crawler click generate URLs/HTML form  Build a tool: jÄk mouse movement register new events timeout Ajax requests Ajax response received ● Functions executed upon events ➔ Lack of support of event-based execution model Large part of web applications remain unexplored! Large part of web applications remain unexplored! Nov. 3, 2016

  18. Our Approach Dynamic Analysis Model-based Crawler Action JS Engine Navigator I/O Probe Seed URL Handler reg. Model Inference/Update APIs Trace Trace Analysis  Combine dynamic analysis with model-based crawler ● Dynamic analysis monitors client side program execution ● Crawler builds, maintains, uses a model of the visited attack surface Nov. 3, 2016

  19. Dynamic Analysis Action JS Engine Environment Navigator I/O Probe Seed URL Handler reg. Model Inference/Update APIs Trace Trace Analysis  Different approaches: Nov. 3, 2016

  20. Dynamic Analysis Action JS Engine Environment Navigator I/O Probe Seed URL Handler reg. Model Inference/Update APIs Trace Trace Analysis  Different approaches: 1) JS engine instrumentation → laborious task, engine-dependent Nov. 3, 2016

  21. Dynamic Analysis Action JS Engine Environment Navigator I/O Probe Seed URL Handler reg. Model Inference/Update APIs Trace Trace Analysis  Different approaches: 1) JS engine instrumentation → laborious task, engine-dependent 2) JS program instrumentation → JS code is not entirely available Nov. 3, 2016

  22. Dynamic Analysis Action JS Engine Environment Navigator I/O Probe Seed URL Handler reg. Model Inference/Update APIs Trace Trace Analysis  Different approaches: 1) JS engine instrumentation → laborious task, engine-dependent 2) JS program instrumentation → JS code is not entirely available 3) Modification of execution environment Nov. 3, 2016

  23. Dynamic Analysis Action JS Engine Environment Navigator I/O Probe Seed URL Handler reg. Model Inference/Update APIs  Modify execution environment via function hooking : Intercept API calls (e.g., network I/O and event handler registration) ● Object manipulations (i.e., object properties) ● Schedule DOM inspections ●  Hooks installed by injecting own JS code: Function redefinition ● Set functions ● Nov. 3, 2016

  24. Function Redefinition function handler() { alert("hello world"); Application JS code } el = document.getElementByID('img') el.addEventListener("click", handler); Nov. 3, 2016

  25. Function Redefinition function handler() { alert("hello world"); } el = document.getElementByID('img') el.addEventListener("click", handler); Nov. 3, 2016

  26. Function Redefinition function handler() { alert("hello world"); } el = document.getElementByID('img') el.addEventListener("click", handler); Nov. 3, 2016

  27. Function Redefinition Element.prototype.addEventListener = function(e, h) { Element.prototype.addEventListener = function(e, h) { function handler() { […] API […] API alert("hello world"); listeners[e].append(h); listeners[e].append(h); } } } el = document.getElementByID('img') el.addEventListener("click", handler); Nov. 3, 2016

  28. Function Redefinition Element.prototype.addEventListener = function(e, h) { Element.prototype.addEventListener = function(e, h) { function handler() { […] API […] API alert("hello world"); listeners[e].append(h); listeners[e].append(h); } } } el = document.getElementByID('img') el.addEventListener("click", handler); Intercept! Intercept! Nov. 3, 2016

  29. Function Redefinition preamble function handler() { alert("hello world"); Application JS code } el = document.getElementByID('img') el.addEventListener("click", handler); var orig_f = Element.prototype.addEventListener; var orig_f = Element.prototype.addEventListener; PREAMBLE PREAMBLE Element.prototype.addEventListener = function(){ Element.prototype.addEventListener = function(){ console.log("new handler registration"); console.log("new handler registration"); return orig_f.apply(this, argument); return orig_f.apply(this, argument); }; }; Nov. 3, 2016

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Introduction to Dynamic Analysis Reference material Introduction to dynamic analysis Zhu,

Introduction to Dynamic Analysis Reference material Introduction to dynamic analysis Zhu,

Introduction to Dynamic Analysis Reference material Introduction to dynamic analysis Zhu, Hong, Patrick A. V. Hall, and John H. R. May, &quot;Software Unit Test Coverage and Adequacy,&quot; ACM Computing Surveys, vol. 29, no.4, pp.

1.03k views • 58 slides
Rubber Test Application Highlights Versatile and Dynamic ElectroForce Instruments 1

Rubber Test Application Highlights Versatile and Dynamic ElectroForce Instruments 1

Rubber Test Application Highlights Versatile and Dynamic ElectroForce Instruments 1 TAINSTRUMENTS.COM TAINSTRUMENTS.COM TA Instruments Thermal Analysis Rheology Thermogravimetric Analysis Microcalorimetry Dynamic Mechanical Analysis

378 views • 8 slides
#VentureCrawl An Exploration of the urban Entrepreneurship Eco-system LONDON VENTURE CRAWL

#VentureCrawl An Exploration of the urban Entrepreneurship Eco-system LONDON VENTURE CRAWL

#VentureCrawl An Exploration of the urban Entrepreneurship Eco-system LONDON VENTURE CRAWL LONDON VENTURE CRAWL What is this thing? LONDON VENTURE CRAWL Venture Crawl through the ages.. 2017 2018 2019 LONDON VENTURE CRAWL

512 views • 22 slides
Distributed Web Crawling over DHTs Boon Thau Loo, Owen Cooper, Sailesh Krishnamurthy CS294-4

Distributed Web Crawling over DHTs Boon Thau Loo, Owen Cooper, Sailesh Krishnamurthy CS294-4

Distributed Web Crawling over DHTs Boon Thau Loo, Owen Cooper, Sailesh Krishnamurthy CS294-4 Search Today Search Index Crawl Crawl Whats Wrong? Users have a limited search interface Todays web is dynamic and growing: Timely

825 views • 21 slides
The Glimpse of Detectron : Dynamic Forwarding and Routing in Modern Detectors Ziwei Liu

The Glimpse of Detectron : Dynamic Forwarding and Routing in Modern Detectors Ziwei Liu

The Glimpse of Detectron : Dynamic Forwarding and Routing in Modern Detectors Ziwei Liu Multimedia Lab (MMLAB) The Chinese University of Hong Kong Dynamic Forwarding Content-Aware Resolution-Adaptive A neurobiological model of visual

1.19k views • 80 slides
Management Strategies and Dynamic Financial Analysis Dynamic Financial Analysis CAS Spring

Management Strategies and Dynamic Financial Analysis Dynamic Financial Analysis CAS Spring

Management Strategies and Dynamic Financial Analysis Dynamic Financial Analysis CAS Spring Meeting Martin Eling, University of Ulm Thomas Parnitzke, Baloise Holding San Diego, May 23-26, 2010 Hato Schmeiser, University of St. Gallen Hato

639 views • 30 slides
MODERN 1 MODERN 2 MODERN 3 MODERN 4 MODERN A peep at some distant orb has power to raise

MODERN 1 MODERN 2 MODERN 3 MODERN 4 MODERN A peep at some distant orb has power to raise

MODERN 1 MODERN 2 MODERN 3 MODERN 4 MODERN A peep at some distant orb has power to raise and purify our thoughts like a strain picture, or a passage from the grander poets. It always does one good. 5 MODERN 6 MODERN 7 MODERN 8

524 views • 24 slides
System Test, Static Analysis Test SW V&amp;V, CTIP, (ANT, SVN, Mantis) 200611490

System Test, Static Analysis Test SW V&amp;V, CTIP, (ANT, SVN, Mantis) 200611490

System Test, Static Analysis Test SW V&amp;V, CTIP, (ANT, SVN, Mantis) 200611490 200913988 201011318 201011358 Contents Category partition &amp; Pairwise testing Clover Sonar Analysis

559 views • 36 slides
Augmenting Dynamic Typing with Static-Analysis Reid Draper @reiddraper Reid Draper @reiddraper

Augmenting Dynamic Typing with Static-Analysis Reid Draper @reiddraper Reid Draper @reiddraper

Augmenting Dynamic Typing with Static-Analysis Reid Draper @reiddraper Reid Draper @reiddraper takeaways tl;dr JUST USE HASKELL JUST USE IDRIS several modern functional languages have optional type systems they are mature enough to be

1.12k views • 76 slides
Today Amortized analysis Dynamic tables Amortized Analysis and Splay Trees Splay

Today Amortized analysis Dynamic tables Amortized Analysis and Splay Trees Splay

Today Amortized analysis Dynamic tables Amortized Analysis and Splay Trees Splay trees Inge Li Grtz CLRS Chapter 17 Je ff Erickson notes Dynamic tables Dynamic tables Problem. Have to assign size of table at initialization.

365 views • 11 slides
Supporting PHP Dynamic Analysis in PHP AiR Mark Hills 13th International Workshop on Dynamic

Supporting PHP Dynamic Analysis in PHP AiR Mark Hills 13th International Workshop on Dynamic

Supporting PHP Dynamic Analysis in PHP AiR Mark Hills 13th International Workshop on Dynamic Analysis (WODA 2015) October 26, 2015 Pittsburgh, Pennsylvania, USA http://www.rascal-mpl.org 1 PHP AiR: PHP Analysis in Rascal PHP AiR: a framework

528 views • 16 slides
Dyna Dynamic mic Analysis Analysis of the of the Co-evo Co evoluti lution on of Ex of

Dyna Dynamic mic Analysis Analysis of the of the Co-evo Co evoluti lution on of Ex of

Dyna Dynamic mic Analysis Analysis of the of the Co-evo Co evoluti lution on of Ex of Exac act t Cove Covers rs EVOLVE 2011, Luxembourg Jeffrey Horn GECCO June 28, 2005 IEEE SSCI FOCI 2007 Northern Nort hern Mi Michigan Univer

981 views • 46 slides
Modern MDL Meets Data Mining Insight, Theory, and Practice Part IV Dynamic Setting Kenji

Modern MDL Meets Data Mining Insight, Theory, and Practice Part IV Dynamic Setting Kenji

Modern MDL Meets Data Mining Insight, Theory, and Practice Part IV Dynamic Setting Kenji Yamanishi Graduate School of Information Science and Technology, the University of Tokyo August 4 th 2019 KDD Tutorial Part IV. Dynamic Setting

944 views • 60 slides
Shape Analysis for Redistricting modern geometry meets modern politics Zachary Schutzman

Shape Analysis for Redistricting modern geometry meets modern politics Zachary Schutzman

Shape Analysis for Redistricting modern geometry meets modern politics Zachary Schutzman University of Pennsylvania &amp; Metric Geometry and Gerrymandering Group Hyperbolic Lunch, U. of Toronto Mathematics February 21st, 2019

844 views • 46 slides
EPICREALM DYNAMIC WEBSITE PATENTS CLAIM CONSTRUCTION ANALYSIS Dan Ravicher What is a Dynamic

EPICREALM DYNAMIC WEBSITE PATENTS CLAIM CONSTRUCTION ANALYSIS Dan Ravicher What is a Dynamic

EPICREALM DYNAMIC WEBSITE PATENTS CLAIM CONSTRUCTION ANALYSIS Dan Ravicher What is a Dynamic Website? Produces a Customized Response to User Input Examples Google, Yahoo and other seach engines Online banking E-Tailors

437 views • 26 slides
AN SLP ONCE TRIED TO TEST ME Making use of dynamic assessment, counseling strategies, medical

AN SLP ONCE TRIED TO TEST ME Making use of dynamic assessment, counseling strategies, medical

AN SLP ONCE TRIED TO TEST ME Making use of dynamic assessment, counseling strategies, medical history, and the interdisciplinary team for effective patient advocacy and treatment Will Farnham, MS CCC - SLP FUTURE COLLEAGUE COLLAB MAY 6,

496 views • 27 slides
Focussed Web Crawling Using RL Searching web for pages relevant to a specific subject No

Focussed Web Crawling Using RL Searching web for pages relevant to a specific subject No

1 Focussed Web Crawling Using RL Searching web for pages relevant to a specific subject No organised directory of web pages Reinforcement Learning Web Crawling : start at one root page, follow links to other pages, follow their Lecture

407 views • 3 slides
A C r a w l i n g A p p l i c a t i o n w i t h R Wh a t a b o u t

A C r a w l i n g A p p l i c a t i o n w i t h R Wh a t a b o u t

A C r a w l i n g A p p l i c a t i o n w i t h R Wh a t a b o u t R e a l E s t a t e ? Wh a t a b o u t R e a l E s t a t e ? R e a l E s t a t e D e v e l o p me n

635 views • 30 slides
Web Crawling Najork and Heydon, High-Performance Web Crawling , Compaq SRC Research Report

Web Crawling Najork and Heydon, High-Performance Web Crawling , Compaq SRC Research Report

Web Crawling Najork and Heydon, High-Performance Web Crawling , Compaq SRC Research Report 173, 2001. Also in Handbook of Massive Data Sets, Kluwer, 2001. Najork and Wiener, Breadth-first search crawling yields high-quality pages . Proc.

358 views • 23 slides
Frontera: Large-Scale Open Source Web Crawling Framework Alexander Sibiryakov, 20 July 2015

Frontera: Large-Scale Open Source Web Crawling Framework Alexander Sibiryakov, 20 July 2015

Frontera: Large-Scale Open Source Web Crawling Framework Alexander Sibiryakov, 20 July 2015 sibiryakov@scrapinghub.com Hola los participantes! Born in Yekaterinburg, RU 5 years at Yandex, search quality department: social and QA

445 views • 21 slides
Mining Second Life: Characterizing User Mobility in a Popular Virtual World Chi-Anh La - Pietro

Mining Second Life: Characterizing User Mobility in a Popular Virtual World Chi-Anh La - Pietro

Introduction Mining Second Life Measurement Methodology Results Conclusion Mining Second Life: Characterizing User Mobility in a Popular Virtual World Chi-Anh La - Pietro Michiardi ACM WOSN 2008 Seattle, WA, U.S. Introduction Mining

212 views • 19 slides
Web Content Mining Dr. Ahmed Rafea Outline Introduction The Web: Opportunities &amp;

Web Content Mining Dr. Ahmed Rafea Outline Introduction The Web: Opportunities &amp;

Web Content Mining Dr. Ahmed Rafea Outline Introduction The Web: Opportunities &amp; Challenges Techniques Applications Introduction The Web is perhaps the single largest data source in the world. Web mining aims to

417 views • 14 slides
Inference in OSNs via Lightweight Partial Crawls Jithin K. Sreedharan Inria, France Konstantin

Inference in OSNs via Lightweight Partial Crawls Jithin K. Sreedharan Inria, France Konstantin

Inference in OSNs via Lightweight Partial Crawls Jithin K. Sreedharan Inria, France Konstantin Avrachenkov Bruno Ribeiro Inria, France Purdue University, USA Sigmetrics 2016, June 16 Motivation Estimation and inference in Online Social

1.26k views • 122 slides
CRAWLING WIT ITH Deeksha Kushal Motwani APACHE NUTCH Shailender Joseph Web-Crawling Apache

CRAWLING WIT ITH Deeksha Kushal Motwani APACHE NUTCH Shailender Joseph Web-Crawling Apache

Ashish Kumar Sinha CRAWLING WIT ITH Deeksha Kushal Motwani APACHE NUTCH Shailender Joseph Web-Crawling Apache Nutch Crawling Algorithm in Apache Nutch CONTENTS RestAPI Demo Conclusion Web-Crawling Web-Crawling is a process by

1.31k views • 67 slides

More recommend