128 research outputs found
CSSXC: Context-sensitive Sanitization Framework for Web Applications against XSS Vulnerabilities in Cloud Environments
AbstractThis paper presents a context-sensitive sanitization based XSS defensive framework for the cloud environment. It discovers all the hidden injection points in HTML5-based web applications deployed on the platforms of cloud and sanitizes the XSS attack payloads injected in such points in a context sensitive manner. The identification of such injection points permits our technique to retrieve each possible web page of application, allowing a wider exploration and accelerating the process of applying the sanitizers on the untrusted variables of web application. The XSS attack mitigation capability of our framework was evaluated on web applications deployed for the cloud users in the cloud environment. The experimental results reveal that this technique detects the XSS attack payloads with minimum rate of false negatives and less runtime overhead
Code Injection Attacks on HTML5-based Mobile Apps
HTML5-based mobile apps become more and more popular, mostly because they are
much easier to be ported across different mobile platforms than native apps.
HTML5-based apps are implemented using the standard web technologies, including
HTML5, JavaScript and CSS; they depend on some middlewares, such as PhoneGap,
to interact with the underlying OS.
Knowing that JavaScript is subject to code injection attacks, we have
conducted a systematic study on HTML5-based mobile apps, trying to evaluate
whether it is safe to rely on the web technologies for mobile app development.
Our discoveries are quite surprising. We found out that if HTML5-based mobile
apps become popular--it seems to go that direction based on the current
projection--many of the things that we normally do today may become dangerous,
including reading from 2D barcodes, scanning Wi-Fi access points, playing MP4
videos, pairing with Bluetooth devices, etc. This paper describes how
HTML5-based apps can become vulnerable, how attackers can exploit their
vulnerabilities through a variety of channels, and what damage can be achieved
by the attackers. In addition to demonstrating the attacks through example
apps, we have studied 186 PhoneGap plugins, used by apps to achieve a variety
of functionalities, and we found that 11 are vulnerable. We also found two real
HTML5-based apps that are vulnerable to the attacks.Comment: In Proceedings of the Third Workshop on Mobile Security Technologies
(MoST) 2014 (http://arxiv.org/abs/1410.6674
Automated Dynamic Firmware Analysis at Scale: A Case Study on Embedded Web Interfaces
Embedded devices are becoming more widespread, interconnected, and
web-enabled than ever. However, recent studies showed that these devices are
far from being secure. Moreover, many embedded systems rely on web interfaces
for user interaction or administration. Unfortunately, web security is known to
be difficult, and therefore the web interfaces of embedded systems represent a
considerable attack surface.
In this paper, we present the first fully automated framework that applies
dynamic firmware analysis techniques to achieve, in a scalable manner,
automated vulnerability discovery within embedded firmware images. We apply our
framework to study the security of embedded web interfaces running in
Commercial Off-The-Shelf (COTS) embedded devices, such as routers, DSL/cable
modems, VoIP phones, IP/CCTV cameras. We introduce a methodology and implement
a scalable framework for discovery of vulnerabilities in embedded web
interfaces regardless of the vendor, device, or architecture. To achieve this
goal, our framework performs full system emulation to achieve the execution of
firmware images in a software-only environment, i.e., without involving any
physical embedded devices. Then, we analyze the web interfaces within the
firmware using both static and dynamic tools. We also present some interesting
case-studies, and discuss the main challenges associated with the dynamic
analysis of firmware images and their web interfaces and network services. The
observations we make in this paper shed light on an important aspect of
embedded devices which was not previously studied at a large scale.
We validate our framework by testing it on 1925 firmware images from 54
different vendors. We discover important vulnerabilities in 185 firmware
images, affecting nearly a quarter of vendors in our dataset. These
experimental results demonstrate the effectiveness of our approach
Web Application Weakness Ontology Based on Vulnerability Data
Web applications are becoming more ubiquitous. All manner of physical devices
are now connected and often have a variety of web applications and
web-interfaces. This proliferation of web applications has been accompanied by
an increase in reported software vulnerabilities. The objective of this
analysis of vulnerability data is to understand the current landscape of
reported web application flaws. Along those lines, this work reviews ten years
(2011 - 2020) of vulnerability data in the National Vulnerability Database.
Based on this data, most common web application weaknesses are identified and
their profiles presented. A weakness ontology is developed to capture the
attributes of these weaknesses. These include their attack method and attack
vectors. Also described is the impact of the weaknesses to software quality
attributes. Additionally, the technologies that are susceptible to each
weakness are presented, they include programming languages, frameworks,
communication protocols, and data formats
Recommended from our members
Detecting Cross-Site Scripting Attacks Using Machine Learning
Cross-site scripting (XSS) is one of the most frequently occurring types of attacks on web applications, hence is of importance in information security. XSS is where the attacker injects malicious code, typically JavaScript, into the web application in order to be executed in the user’s browser. Identifying that a script is malicious is an important part of the defence of a web application. This paper investigates using SVM, k-NN and Random Forests to detect and limit these attacks, whether known or unknown, by building classifiers for JavaScript code. It demonstrated that using an interesting feature set combining language syntax and behavioural features results in classifiers that give high accuracy and precision on large real world data sets without restricting attention only to obfuscation
- …