1,001 research outputs found
Automatic Generation of Tests to Exploit XML Injection Vulnerabilities in Web Applications
Modern enterprise systems can be composed of many web services (e.g., SOAP and RESTful). Users of such systems might not have direct access to those services, and rather interact with them through a single-entry point which provides a GUI (e.g., a web page or a mobile app). Although the interactions with such entry point might be secure, a hacker could trick such systems to send malicious inputs to those internal web services. A typical example is XML injection targeting SOAP communications. Previous work has shown that it is possible to automatically generate such kind of attacks using search-based techniques.
In this paper, we improve upon previous results by providing more efficient techniques to generate such attacks. In particular, we investigate four different algorithms and two different fitness functions. A large empirical study, involving also two industrial systems, shows that our technique is effective at automatically generating XML injection attacks
Web application penetration testing: an analysis of a corporate application according to OWASP guidelines
During the past decade, web applications have become the most prevalent way for service delivery over the Internet. As they get deeply embedded in business activities and required to support sophisticated functionalities, the design and implementation are becoming more and more complicated. The increasing popularity and complexity make web applications a primary target for hackers on the Internet. According to Internet Live Stats up to February 2019, there is an enormous amount of websites being attacked every day, causing both direct and significant impact on huge amount of people.
Even with support from security specialist, they continue having troubles due to the complexity of penetration procedures and the vast amount of testing case in both penetration testing and code reviewing. As a result, the number of hacked websites per day is increasing.
The goal of this thesis is to summarize the most common and critical vulnerabilities that can be found in a web application, provide a detailed description of them, how they could be exploited and how a cybersecurity tester can find them through the process of penetration testing.
To better understand the concepts exposed, there will be also a description of a case of study: a penetration test performed over a company's web application
Monitoring web applications for vulnerability discovery and removal under attack
Tese de mestrado, Engenharia Informática (Arquitetura, Sistemas e Redes de Computadores) Universidade de Lisboa, Faculdade de Ciências, 2018Web applications are ubiquitous in our everyday lives, as they are deployed in the most diverse contexts and support a variety of services. The correctness of these applications, however, can be compromised by vulnerabilities left in their source code, often incurring in nefarious consequences, such as the theft of private data and the adulteration of information. This dissertation proposes a solution for the automatic detection and removal of vulnerabilities in web applications programmed in the PHP language. By monitoring the user interactions with the web applications with traditional attack discovery tools, it is possible to identify malicious inputs that are eventually provided by attackers. These in- puts are then explored by a directed static analysis approach, allowing for the discovery of potential security issues and the correction of bugs in the program. The solution was implemented and validated with a set of vulnerable web applications. The experimental results demonstrate that the tool is capable of detecting and correcting SQL Injection and XSS vulnerabilities. In total 174 vulnerabilities were found in 5 web applications, where 2 of these were previously unknown by the research community(i.e., they were ”zero-day” vulnerabilities)
Vulnerability assessment of Angolan university web applications
Vulnerability assessment is one of the technical procedures that can help prevent serious security breaches, which, when exploited, can undermine brand credibility and or the continuity of a business. Universities hold and process important relevant and sensitive student and staff information appealing to attackers and might affect the organisations' credibility if such information is disclosed. This work presents a study conducted to assess the security status of the Angolan universities' web applications, identifying the most frequent security vulnerabilities and their criticality, based on OWASP Top 10 and CWE Top 25 references to identify and validate the findings discovered during the automatic vulnerability assessment process.info:eu-repo/semantics/acceptedVersio
Security analyses for detecting deserialisation vulnerabilities : a thesis presented in partial fulfilment of the requirements for the degree of Doctor of Philosophy in Computer Science at Massey University, Palmerston North, New Zealand
An important task in software security is to identify potential vulnerabilities. Attackers exploit security vulnerabilities in systems to obtain confidential information, to breach system integrity, and to make systems unavailable to legitimate users. In recent years, particularly 2012, there has been a rise in reported Java vulnerabilities. One type of vulnerability involves (de)serialisation, a commonly used feature to store objects or data structures to an external format and restore them. In 2015, a deserialisation vulnerability was reported involving Apache Commons Collections, a popular Java library, which affected numerous Java applications. Another major deserialisation-related vulnerability that affected 55\% of Android devices was reported in 2015. Both of these vulnerabilities allowed arbitrary code execution on vulnerable systems by malicious users, a serious risk, and this came as a call for the Java community to issue patches to fix serialisation related vulnerabilities in both the Java Development Kit and libraries.
Despite attention to coding guidelines and defensive strategies, deserialisation remains a risky feature and a potential weakness in object-oriented applications. In fact, deserialisation related vulnerabilities (both denial-of-service and remote code execution) continue to be reported for Java applications. Further, deserialisation is a case of parsing where external data is parsed from their external representation to a program's internal data structures and hence, potentially similar vulnerabilities can be present in parsers for file formats and serialisation languages.
The problem is, given a software package, to detect either injection or denial-of-service vulnerabilities and propose strategies to prevent attacks that exploit them. The research reported in this thesis casts detecting deserialisation related vulnerabilities as a program analysis task. The goal is to automatically discover this class of vulnerabilities using program analysis techniques, and to experimentally evaluate the efficiency and effectiveness of the proposed methods on real-world software. We use multiple techniques to detect reachability to sensitive methods and taint analysis to detect if untrusted user-input can result in security violations.
Challenges in using program analysis for detecting deserialisation vulnerabilities include addressing soundness issues in analysing dynamic features in Java (e.g., native code). Another hurdle is that available techniques mostly target the analysis of applications rather than library code.
In this thesis, we develop techniques to address soundness issues related to analysing Java code that uses serialisation, and we adapt dynamic techniques such as fuzzing to address precision issues in the results of our analysis. We also use the results from our analysis to study libraries in other languages, and check if they are vulnerable to deserialisation-type attacks. We then provide a discussion on mitigation measures for engineers to protect their software against such vulnerabilities.
In our experiments, we show that we can find unreported vulnerabilities in Java code; and how these vulnerabilities are also present in widely-used serialisers for popular languages such as JavaScript, PHP and Rust. In our study, we discovered previously unknown denial-of-service security bugs in applications/libraries that parse external data formats such as YAML, PDF and SVG
Fast scan, an improved approach using machine learning for vulnerability identification
Dissertação de mestrado integrado em Engenharia InformáticaThis document presents a Master Thesis in the Integrated Master’s in Informatics Engi neering focused on the automatic identification of vulnerabilities, that was accomplished at
Universidade do Minho in Braga, Portugal.
This thesis work aims at developing a machine learning based tool for automatic iden tification of vulnerabilities on programs (source, high level code), that uses an abstract
syntax11tree representation. It is based on FastScan, using code2seq approach. Fastscan
is a recently developed system aimed capable of detecting vulnerabilities in source code
using machine learning techniques. Nevertheless, FastScan is not able of identifying the
vulnerability type. In the presented work the main goal is to go further and develop a
method to identify specific types of vulnerabilities. As will be shown, the goal will be
achieved by changing the method of receiving and processing in a different way the input
data and developing an architecture that brings together multiple models to predict different
specific vulnerabilities. The best f1 metric obtained is 93% resulting in a precision of 90% and
accuracy of 85%, according to the performed tests and regarding a trained model to predict
vulnerabilities of the injection type. These results were obtained with the contribution given
by the optimization of the model’s hyperparameters and also the use of the Search Cluster
from University of Minho that greatly diminished the necessary time to perform training
and testing. It is important to refer that overfitting was detected in the late stages of the tests,
so this results do not represent the true value in real context. Also an interface is presented,
it allows to better interact with the models and analyse the scan results.Este documento apresenta uma dissertação do Mestrado Integrado em Engenharia Infor mática, que tem como foco a automação da deteção de vulnerabilidades e foi concluída na
Universidade do Minho em Braga, Portugal.
O trabalho apresentado nesta tese pretende desenvolver uma ferramenta que utiliza
machine learning e que seja capaz de identificar vulnerabilidades em código. Utilizando para
isso a representação do mesmo numa abstract syntax tree. Tem como base FastScan que utiliza
a abordagem do code2seq. Fastscan é um projeto recentemente desenvolvido que é capaz de
detetar vulnerabilidades em código utilizando técnicas de machine learning, sendo que tem
algumas lacunas como o facto de não ser capaz de identificar vulnerabilidades específicas.
No trabalho apresentado o objetivo é ir mais além e desenvolver um método capaz de
identificar qual o tipo específico de vulnerabilidade presente. Como será apresentado ao
longo do documento, este objetivo será alcançado pela alteração do método de receção e
processamento dos dados recebidos, assim como o desenvolvimento de uma arquitetura
que junte os vários modelos de maneira a cooperarem e a ferramenta ser capaz de detetar
e prever a presença de vulnerabilidades específicas. A melhor métrica de f1 obtida foi de
93%, com precisão de 90% e accuracy de 85%, de acordo com os testes efetuados sobre
um modelo treinado para prever a presença de vulnerabilidades do tipo de injection. Os
resultados foram obtidos devido à otimização dos hiper-parâmetros dos modelos e o cluster
Search da Universidade do Minho diminuiu consideravelmente o tempo necessário para
efetuar o traino e testes dos modelos. É importante referir que foi detetado overfitting na
fase final do desenvolvimento deste trabalho, sendo que os resultados apresentados não
representam o valor real dos modelos em contexto real. Para além disso é apresentada uma
interface que permite interagir e analisar os resultados de um scan feito pelos modelos
Application to Security Testing
In a world where software gradually plays a key role daily, a failure may bring unpleasant
consequences for its users. An example of a serious failure was the case Apple
iCloud security exploit in 2014 where several private photos of celebrities have been
accessed without permission[icl14a][icl14b]. Apart from economic and commercial implications,
these faults lead to loss of trust in software by users, thus leading to the
consequent search for an alternative and even result in leaving the old software for a
new alternative. To address these shortcomings, the software industry started to use
software testing to make sure that the software contains the minimum possible failures
before is deployment.
Software tests are used to analyse the program, namely to search some bugs. This
analysis can be done without program execution (static analysis) or during execution
(dynamic analysis). Static analysis tools can be used to check for potential execution of
the program that have not been prematurely aborted due to unexpected event at runtime,
not ensuring that the program will display the correct result. We studied some
static analysis tools, JSFlow, JSPrime and TAJS, which analyse JavaScript code. These
tools have been modified so they can be integrated into the Nibiru framework.
Nibiru is a modular framework that aims to help in the implementation of software
testing. It uses a micro-services architecture, enabling the use of multiple programming
languages in his modules and has the ability to enable the implementation of its modules
on multiple machines. So far the Nibiru has three operating modules and its ready to
start growing with the community, so they can contribute in the construction of new
modules or make small adjustments on the existing testing software to integrate the
Nibiru framework.Num mundo onde cada vez mais o software tem um papel fundamental nas atividades do
dia-a-dia, uma falha pode trazer consequências desagradáveis para os seus utilizadores.
Como exemplo de uma falha grave, temos o caso Apple iCloud security exploit em 2014
[icl14a][icl14b], onde várias fotos de celebridades foram acedidas sem permissão. Para
além de repercussões económicas e comerciais estas falhas levam à perca de confiança
no software por parte dos utilizadores, levando assim à consequente procura de alternativas
ao mesmo, podendo até resultar no abandono do software antigo. Para colmatar
estas falhas, hoje em dia a indústria cada vez aposta mais nos testes de software para
certificar-se que o software contém o mínimo de falhas possíveis antes de sair para o
mercado.
Os testes de software servem para analisar o programa, nomeadamente na obtenção
de bugs. Esta análise pode ser feita sem execução do programa (análise estática) ou
durante a sua execução (análise dinâmica). As ferramentas de análise estática são utilizadas
para verificar se existem potenciais execuções do programa que possam falhar
durante a sua execução devido a eventos inesperados, isto faz com que o programa apresente
um resultado incorreto ou até mesmo bloqueie. Foram estudadas algumas ferramentas
de análise estática, JSFlow, JSPrime e TAJS, que analisam código JavaScript.
Estas ferramentas foram modificadas para serem integradas na framework Nibiru.
O Nibiru é uma framework modular que tem como intuito ajudar na execução de
testes de software. Esta utiliza uma arquitetura de micro-serviços, possibilitando o uso
de múltiplas linguagens de programação nos seus módulos e tem a capacidade de possibilitar
a execução dos seus módulos em várias máquinas. Até ao momento o Nibiru conta
com três módulos operacionais, encontrando-se pronto para crescer com a comunidade
informática, podendo esta contribuir na construção de novos módulos
PentestGPT: An LLM-empowered Automatic Penetration Testing Tool
Penetration testing, a crucial industrial practice for ensuring system
security, has traditionally resisted automation due to the extensive expertise
required by human professionals. Large Language Models (LLMs) have shown
significant advancements in various domains, and their emergent abilities
suggest their potential to revolutionize industries. In this research, we
evaluate the performance of LLMs on real-world penetration testing tasks using
a robust benchmark created from test machines with platforms. Our findings
reveal that while LLMs demonstrate proficiency in specific sub-tasks within the
penetration testing process, such as using testing tools, interpreting outputs,
and proposing subsequent actions, they also encounter difficulties maintaining
an integrated understanding of the overall testing scenario.
In response to these insights, we introduce PentestGPT, an LLM-empowered
automatic penetration testing tool that leverages the abundant domain knowledge
inherent in LLMs. PentestGPT is meticulously designed with three
self-interacting modules, each addressing individual sub-tasks of penetration
testing, to mitigate the challenges related to context loss. Our evaluation
shows that PentestGPT not only outperforms LLMs with a task-completion increase
of 228.6\% compared to the \gptthree model among the benchmark targets but also
proves effective in tackling real-world penetration testing challenges. Having
been open-sourced on GitHub, PentestGPT has garnered over 4,700 stars and
fostered active community engagement, attesting to its value and impact in both
the academic and industrial spheres
- …