using web security
play

Using Web Security Scanners to Detect Vulnerabilities in Web - PowerPoint PPT Presentation

May 15, 2023 •562 likes •897 views

Using Web Security Scanners to Detect Vulnerabilities in Web Services Marco Vieira, Nuno Antunes , Henrique Madeira {mvieira, nmsa, henrique}@dei.uc.pt DSN 2009 CISUC Department of Informatics Engineering University of Coimbra Outline

  1. Using Web Security Scanners to Detect Vulnerabilities in Web Services Marco Vieira, Nuno Antunes , Henrique Madeira {mvieira, nmsa, henrique}@dei.uc.pt DSN 2009 CISUC Department of Informatics Engineering University of Coimbra

  2. Outline  Contextualization  Research Goals  Methodology  Results  Conclusions and Future Work 2 Nuno Antunes DSN 2009, June 29 - July 2, Estoril, Portugal

  3. Contextualization  Web services are increasingly becoming a strategic component in a wide range of organizations  Web services are so exposed that any existing vulnerability will most probably be uncovered/exploited  Both providers and consumers need to assess services’ security 3 Nuno Antunes DSN 2009, June 29 - July 2, Estoril, Portugal

  4. Web Services 4 Nuno Antunes DSN 2009, June 29 - July 2, Estoril, Portugal

  5. Web Services Security  Security threats  Hackers are moving their focus to applications’ code  Traditional security mechanisms (Firewall, IDS, encryption) cannot mitigate these attacks  Vulnerabilities like SQL Injection and XPath Injection are particularly relevant  Developers must  Apply best coding practices  Security testing! 5 Nuno Antunes DSN 2009, June 29 - July 2, Estoril, Portugal

  6. Vulnerability Examples public String auth(String login, String pass) throw SQLException { String sql = "SELECT * FROM users WHERE "+ "username='" + login + "' AND "+ ' OR 1=1 -- "password='" + pass + "'"; ResultSet rs = statement.executeQuery(sql); "SELECT * FROM users WHERE username='' OR 1=1 -- ' AND (…) password= ''“; } public void delete(String str) throw SQLException{ String sql = "DELETE FROM table ' OR ''=' "WHERE id='" + str + "'"; statement.executeUpdate(sql); "DELETE FROM table WHERE id='' OR '' = ''"; } 6 Nuno Antunes DSN 2009, June 29 - July 2, Estoril, Portugal

  7. Software Testing techniques  White-box testing:  The analysis of the application’s code  Black-box testing:  The analysis of application’s execution searching for vulnerabilities  Known as penetration testing  Gray-box testing:  Approaches that combine black box and white box 7 Nuno Antunes DSN 2009, June 29 - July 2, Estoril, Portugal

  8. Web Security Scanners  Easy and widely-used way to test applications searching vulnerabilities  Use fuzzing techniques to attack applications  Perform thousands of tests in an automated way  What is the effectiveness of these tools?  Can programmers rely on these tools? 8 Nuno Antunes DSN 2009, June 29 - July 2, Estoril, Portugal

  9. Research Goals  Study the effectiveness of the scanners  Identify common types of vulnerabilities  In the context of web service environments 9 Nuno Antunes DSN 2009, June 29 - July 2, Estoril, Portugal

  10. Methodology  Apply leading commercial scanners in public web services  300 Web Services tested  Randomly selected  4 Scanners used (including two different versions of a brand) 10 Nuno Antunes DSN 2009, June 29 - July 2, Estoril, Portugal

  11. Experimental Study  Preparation  Select services and scanners  Execution  Test the services using the scanners  Verification  Identify false positives  Analysis  Analysis and systematization of results 11 Nuno Antunes DSN 2009, June 29 - July 2, Estoril, Portugal

  12. Scanners 12 Nuno Antunes DSN 2009, June 29 - July 2, Estoril, Portugal

  13. Vulnerabilities Found  SQL injection  XPath Injection  Code Execution  Possible Parameter Based Buffer Overflow  Possible Username or Password Disclosure  Possible Server Path Disclosure 13 Nuno Antunes DSN 2009, June 29 - July 2, Estoril, Portugal

  14. Overall results analysis VS1.1 VS1.2 VS2 VS3 Vulnerability Types # Vuln. # WS # Vuln. # WS # Vuln. # WS # Vuln. # WS 11 SQL Injection 217 38 225 38 25 5 35 XPath Injection 10 1 10 1 0 0 0 0 0 Code Execution 1 1 1 1 0 0 0 Possible Parameter Based 0 0 0 0 0 0 4 3 Buffer Overflow Possible Username or 3 0 0 0 0 0 0 47 Password Disclosure Possible Server Path 5 0 0 0 0 0 0 17 Disclosure Total 228 40 236 40 25 5 103 22 14 Nuno Antunes DSN 2009, June 29 - July 2, Estoril, Portugal

  15. SQL Injection 225 VS1.2 15 Nuno Antunes DSN 2009, June 29 - July 2, Estoril, Portugal

  16. SQL Injection VS1.1 19 198 27 VS1.2 16 Nuno Antunes DSN 2009, June 29 - July 2, Estoril, Portugal

  17. SQL Injection VS1.1 19 172 26 3 6 24 VS3 VS1.2 17 Nuno Antunes DSN 2009, June 29 - July 2, Estoril, Portugal

  18. SQL Injection VS1.1 19 VS2 2 1 171 21 1 5 3 5 24 VS3 VS1.2 18 Nuno Antunes DSN 2009, June 29 - July 2, Estoril, Portugal

  19. SQL Injection VS1.1 19 ? VS2 2 1 171 21 1 5 3 5 24 VS3 VS1.2 19 Nuno Antunes DSN 2009, June 29 - July 2, Estoril, Portugal

  20. False Positives examination  False positive when  the error/answer obtained is related to an application robustness problem.  the same problem occurs when the service is executed with valid inputs  Confirmed Vulnerabilities when  is possible to observe that a SQL command was invalidated by the “injected” values  the “injected” values lead to exceptions raised by the database server  is possible to access unauthorized resources 20 Nuno Antunes DSN 2009, June 29 - July 2, Estoril, Portugal

  21. False Positives results 225 False Positives 200 37% 40% Doubtful 83 175 87 Confirmed Vulnerabilities 150 11,6% 6,5% 26 125 14 100 25,7% 75 14% 116 116 50 32% 9 25 5 8 21 17 0 VS1.1 VS1.2 VS2 VS3 21 Nuno Antunes DSN 2009, June 29 - July 2, Estoril, Portugal

  22. SQL Injection without False Positives 142 VS1.2 22 Nuno Antunes DSN 2009, June 29 - July 2, Estoril, Portugal

  23. SQL Injection without False Positives VS1.1 3 127 15 VS1.2 23 Nuno Antunes DSN 2009, June 29 - July 2, Estoril, Portugal

  24. SQL Injection without False Positives VS1.1 3 2 103 24 VS3 15 VS1.2 24 Nuno Antunes DSN 2009, June 29 - July 2, Estoril, Portugal

  25. SQL Injection without False Positives VS1.1 3 VS2 2 1 1 21 102 1 3 VS3 15 VS1.2 25 Nuno Antunes DSN 2009, June 29 - July 2, Estoril, Portugal

  26. SQL Injection without False Positives ? VS1.1 3 VS2 2 1 1 21 102 1 3 VS3 15 VS1.2 26 Nuno Antunes DSN 2009, June 29 - July 2, Estoril, Portugal

  27. Coverage analysis  Real number of vulnerabilities unavailable  It is possible to make a comparative analysis  Overestimated Coverage values!! Scanner # SQL Injection Vulnerabilities Coverage % VS1.1 130 87.2% VS1.2 142 95.3% VS2 25 16.8% VS3 26 17.4% Total 149 100% 27 Nuno Antunes DSN 2009, June 29 - July 2, Estoril, Portugal

  28. Common Vulnerabilities SQL Injection (149) 1 10 1 16 Possible Server Path Disclosure (16) XPath Injection (10) Code Execution (1) 149 Possible Parameter Based Buffer Overflow (1) 28 Nuno Antunes DSN 2009, June 29 - July 2, Estoril, Portugal

  29. Conclusions  A large number of vulnerabilities was observed  SQL Injection vulnerabilities are prevalent  Selecting a scanner for web services is a very difficult task  Different scanners detect different types of vulnerabilities  High false positives rates  Low coverage rates  Can we do better? 29 Nuno Antunes DSN 2009, June 29 - July 2, Estoril, Portugal

  30. Preliminary work  Develop a new approach for vulnerabilities detection  Detect SQL Injection and XPath Injection vulnerabilities effectively  Generate workload and attackload  Analyze responses  Analyze vulnerabilities to avoid False positives 30 Nuno Antunes DSN 2009, June 29 - July 2, Estoril, Portugal

  31. Preliminary Work Results 180 False Positives 160 Doubtful 140 Confirmed 120 86 93 100 80 14 60 25 13 13 40 1 0 52 47 47 4 20 4 21 17 0 VS1.1 VS1.2 VS2 VS3 VS.WS 31 Nuno Antunes DSN 2009, June 29 - July 2, Estoril, Portugal

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

Network security Network security Foundations: what is security? cryptography Network Security Network Security authentication message integrity key distribution and certification Security in practice: Srinidhi Varadarajan

332 views • 6 slides
Security Security as term, Possible Security violations Authentication Criteria for

Security Security as term, Possible Security violations Authentication Criteria for

BS1 WS19/20 topic-based slides Security Security as term, Possible Security violations Authentication Criteria for Trust in Computer Systems Three hearts of Windows Security DACLs A Look at Security System is secure if

988 views • 20 slides
CPSC410/611: Security Security Security Attacks Security Threats Crypto

CPSC410/611: Security Security Security Attacks Security Threats Crypto

CPSC 410 / 611 : Operating Systems CPSC410/611: Security Security Security Attacks Security Threats Crypto Authentication Examples SSL Security Threats Breach of confidentiality unauthorized access to

458 views • 18 slides
Biometrics and Security Biometrics and Security Biometrics and Security Biometrics and Security

Biometrics and Security Biometrics and Security Biometrics and Security Biometrics and Security

Biometrics and Security Biometrics and Security Biometrics and Security Biometrics and Security WS 06/07 Seminar Prof. Dr.-Ing. Jana Dittmann & Dr.-Ing. Claus Vielhauer with support from Tobias Scheidat

419 views • 16 slides
1 X.800 Security Services X.800 Security Services X.800 Security Services Data integrity

1 X.800 Security Services X.800 Security Services X.800 Security Services Data integrity

Course Overview Course Requirements EECS 498-7/8 Cryptography and Network Security: www.citi.umich.edu/u/honey/security Principles and Practice (Third Edition) Computer Security Monday & Friday, 9:00 10:30 William Stallings

670 views • 19 slides
A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security

A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security

A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security Introducing Spring Security View layer security Whats coming in Spring Security 3 E-mail: craig@habuma.com Blog: http://www.springloaded.info

452 views • 19 slides
Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security Foundations: what is security? cryptography authentication message integrity key distribution and certification Security in practice:

634 views • 36 slides
Security Overview Security Goals The Attack Space Security Mechanisms

Security Overview Security Goals The Attack Space Security Mechanisms

CSCE Intro to Computer Systems Security Security Overview Security Goals The Attack Space Security Mechanisms Introduction to Cryptography Authentication Authorization Confidentiality Case Studies Security

472 views • 20 slides
SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY

SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY

SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY TESTING CONCEPTS 3. SECURITY TESTING TYPES 4. TOP 10 SECURITY RISKS Few Security Breaches Date: 2013-14 September 2016, while in negotiations to

404 views • 18 slides
Security Security with Distributed Systems Why Security? The need for security mechanisms in

Security Security with Distributed Systems Why Security? The need for security mechanisms in

Security Security with Distributed Systems Why Security? The need for security mechanisms in distributed systems arises from the desire to share resources Resources must be protected against unauthorized access, as enemies (attackers)

1.16k views • 67 slides
Security Overview Security Goals The Attack Space Security Mechanisms

Security Overview Security Goals The Attack Space Security Mechanisms

CPSC 410/611 Operating Systems Security Security Overview Security Goals The Attack Space Security Mechanisms Introduction to Cryptography Authentication Authorization Confidentiality Case Studies

419 views • 19 slides
International and Global Security 1 Peer Discussion What is security? 2 International

International and Global Security 1 Peer Discussion What is security? 2 International

International and Global Security 1 Peer Discussion What is security? 2 International Security What is security? Freedom from threats to core values? Contestation over referent object: Individual? State? System? How is security achieved?

715 views • 11 slides
Security 101 Definition of Information Security Information security is the protection of

Security 101 Definition of Information Security Information security is the protection of

Computing Services Information Security Office Security 101 Definition of Information Security Information security is the protection of information and systems from unauthorized access, disclosure, modification, destruction or disruption. The

469 views • 22 slides
Security Update Security Plans Our Security plans are For Official Use Only, Safety

Security Update Security Plans Our Security plans are For Official Use Only, Safety

Security Update Security Plans Our Security plans are For Official Use Only, Safety Sensitive Information Not for public or media release F.S. 119.071. Required by law, rule and regulation: Homeland Security Directive 5 and 8.

393 views • 11 slides
Com puter Security Part One Security as a subject Security is an old problem in the

Com puter Security Part One Security as a subject Security is an old problem in the

Com puter Security Part One Security as a subject Security is an old problem in the computing world, and are parallel to even older problems outside computing Required level of security is always related to what you protect

237 views • 23 slides
Introduction to Security Comm. Security Strategy Summary ITS335: IT Security Sirindhorn

Introduction to Security Comm. Security Strategy Summary ITS335: IT Security Sirindhorn

ITS335 Intro. to Security Concepts Threats, Attacks, Assets Introduction to Security Comm. Security Strategy Summary ITS335: IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 2

965 views • 34 slides
SOFTWARE VERIFICATION AND VALIDATION BY: MITCHELL LANE TOPICS T erms and Methods

SOFTWARE VERIFICATION AND VALIDATION BY: MITCHELL LANE TOPICS T erms and Methods

SOFTWARE VERIFICATION AND VALIDATION BY: MITCHELL LANE TOPICS T erms and Methods Historic Failures Licenses and certifjcation Warranties Ethical Evaluations Software Validation- Does the model accurately represent the

442 views • 17 slides
Test and Evaluation of Localization and Tracking Systems Nader Moayeri NIST Presented at 3rd

Test and Evaluation of Localization and Tracking Systems Nader Moayeri NIST Presented at 3rd

Test and Evaluation of Localization and Tracking Systems Nader Moayeri NIST Presented at 3rd Invitational Workshop on Opportunistic RF Localization for Next Generation Wireless Devices May 7, 2012 Introduction Lack of standardized Test

514 views • 18 slides
Testing Observability Amy Phillips Testing Observability | Amy Phillips | @amyjph Amy

Testing Observability Amy Phillips Testing Observability | Amy Phillips | @amyjph Amy

Testing Observability Amy Phillips Testing Observability | Amy Phillips | @amyjph Amy Phillips Engineering Manager at Moo Previously manager and tester at Songkick, The Guardian, and Yahoo! Can be found @amyjph Testing

822 views • 36 slides
Unit Testing Discussion C Unit Test public Method is smallest unit of code Input/output

Unit Testing Discussion C Unit Test public Method is smallest unit of code Input/output

Unit Testing Discussion C Unit Test public Method is smallest unit of code Input/output transformation Test if the method does what it claims Not exactly black box testing Test if (actual result != expected result) throw

558 views • 17 slides
IMPLEMENTING THE STANDARDISED MAPPING OF TDL TO TTCN-3 Philip Makedonski (University of

IMPLEMENTING THE STANDARDISED MAPPING OF TDL TO TTCN-3 Philip Makedonski (University of

IMPLEMENTING THE STANDARDISED MAPPING OF TDL TO TTCN-3 Philip Makedonski (University of Gttingen) Jens Grabowski (University of Gttingen) Overview 2 Background Test Description Language Design, documentation, representation of

205 views • 17 slides
Project Plan Agent Multimedia Advertisement Builder The Capstone Experience Team Auto-Owners

Project Plan Agent Multimedia Advertisement Builder The Capstone Experience Team Auto-Owners

Project Plan Agent Multimedia Advertisement Builder The Capstone Experience Team Auto-Owners Patrick Nelson Joe Korolewicz Dan Jones Department of Computer Science and Engineering Michigan State University Spring 2011 From Students to

407 views • 21 slides
A A Brief Essay on Software Testing i f S f i Antonia Bertolino and Eda Marchetti 200310404

A A Brief Essay on Software Testing i f S f i Antonia Bertolino and Eda Marchetti 200310404

A A Brief Essay on Software Testing i f S f i Antonia Bertolino and Eda Marchetti 200310404 Ab t Abstract & Introduction t & I t d ti Testing is not limited to the detection of bugs in software Recent

410 views • 21 slides
InfoSage Systems Redefining Value Contents 1. InfoSage Overview 2. Portfolio of Services

InfoSage Systems Redefining Value Contents 1. InfoSage Overview 2. Portfolio of Services

InfoSage Systems Redefining Value Contents 1. InfoSage Overview 2. Portfolio of Services 3. Service Matrix 4. Focus Areas 5. Business Model 6. Global Engagement Model 7. Key Differentiators 8. Execution & Delivery GDM 9.

394 views • 28 slides

More recommend