Automatic Generation of Tests to Exploit XML Injection Vulnerabilities in Web Applications

Modern enterprise systems can be composed of many web services (e.g., SOAP and RESTful). Users of such systems might not have direct access to those services, and rather interact with them through a single-entry point which provides a GUI (e.g., a web page or a mobile app). Although the interactions with such entry point might be secure, a hacker could trick such systems to send malicious inputs to those internal web services. A typical example is XML injection targeting SOAP communications. Previous work has shown that it is possible to automatically generate such kind of attacks using search-based techniques. In this paper, we improve upon previous results by providing more efficient techniques to generate such attacks. In particular, we investigate four different algorithms and two different fitness functions. A large empirical study, involving also two industrial systems, shows that our technique is effective at automatically generating XML injection attacks

Web application penetration testing: an analysis of a corporate application according to OWASP guidelines

During the past decade, web applications have become the most prevalent way for service delivery over the Internet. As they get deeply embedded in business activities and required to support sophisticated functionalities, the design and implementation are becoming more and more complicated. The increasing popularity and complexity make web applications a primary target for hackers on the Internet. According to Internet Live Stats up to February 2019, there is an enormous amount of websites being attacked every day, causing both direct and significant impact on huge amount of people. Even with support from security specialist, they continue having troubles due to the complexity of penetration procedures and the vast amount of testing case in both penetration testing and code reviewing. As a result, the number of hacked websites per day is increasing. The goal of this thesis is to summarize the most common and critical vulnerabilities that can be found in a web application, provide a detailed description of them, how they could be exploited and how a cybersecurity tester can find them through the process of penetration testing. To better understand the concepts exposed, there will be also a description of a case of study: a penetration test performed over a company's web application

Monitoring web applications for vulnerability discovery and removal under attack

Tese de mestrado, Engenharia Informática (Arquitetura, Sistemas e Redes de Computadores) Universidade de Lisboa, Faculdade de Ciências, 2018Web applications are ubiquitous in our everyday lives, as they are deployed in the most diverse contexts and support a variety of services. The correctness of these applications, however, can be compromised by vulnerabilities left in their source code, often incurring in nefarious consequences, such as the theft of private data and the adulteration of information. This dissertation proposes a solution for the automatic detection and removal of vulnerabilities in web applications programmed in the PHP language. By monitoring the user interactions with the web applications with traditional attack discovery tools, it is possible to identify malicious inputs that are eventually provided by attackers. These in- puts are then explored by a directed static analysis approach, allowing for the discovery of potential security issues and the correction of bugs in the program. The solution was implemented and validated with a set of vulnerable web applications. The experimental results demonstrate that the tool is capable of detecting and correcting SQL Injection and XSS vulnerabilities. In total 174 vulnerabilities were found in 5 web applications, where 2 of these were previously unknown by the research community(i.e., they were ”zero-day” vulnerabilities)

Vulnerability assessment of Angolan university web applications

Vulnerability assessment is one of the technical procedures that can help prevent serious security breaches, which, when exploited, can undermine brand credibility and or the continuity of a business. Universities hold and process important relevant and sensitive student and staff information appealing to attackers and might affect the organisations' credibility if such information is disclosed. This work presents a study conducted to assess the security status of the Angolan universities' web applications, identifying the most frequent security vulnerabilities and their criticality, based on OWASP Top 10 and CWE Top 25 references to identify and validate the findings discovered during the automatic vulnerability assessment process.info:eu-repo/semantics/acceptedVersio

Security analyses for detecting deserialisation vulnerabilities : a thesis presented in partial fulfilment of the requirements for the degree of Doctor of Philosophy in Computer Science at Massey University, Palmerston North, New Zealand

An important task in software security is to identify potential vulnerabilities. Attackers exploit security vulnerabilities in systems to obtain confidential information, to breach system integrity, and to make systems unavailable to legitimate users. In recent years, particularly 2012, there has been a rise in reported Java vulnerabilities. One type of vulnerability involves (de)serialisation, a commonly used feature to store objects or data structures to an external format and restore them. In 2015, a deserialisation vulnerability was reported involving Apache Commons Collections, a popular Java library, which affected numerous Java applications. Another major deserialisation-related vulnerability that affected 55\% of Android devices was reported in 2015. Both of these vulnerabilities allowed arbitrary code execution on vulnerable systems by malicious users, a serious risk, and this came as a call for the Java community to issue patches to fix serialisation related vulnerabilities in both the Java Development Kit and libraries. Despite attention to coding guidelines and defensive strategies, deserialisation remains a risky feature and a potential weakness in object-oriented applications. In fact, deserialisation related vulnerabilities (both denial-of-service and remote code execution) continue to be reported for Java applications. Further, deserialisation is a case of parsing where external data is parsed from their external representation to a program's internal data structures and hence, potentially similar vulnerabilities can be present in parsers for file formats and serialisation languages. The problem is, given a software package, to detect either injection or denial-of-service vulnerabilities and propose strategies to prevent attacks that exploit them. The research reported in this thesis casts detecting deserialisation related vulnerabilities as a program analysis task. The goal is to automatically discover this class of vulnerabilities using program analysis techniques, and to experimentally evaluate the efficiency and effectiveness of the proposed methods on real-world software. We use multiple techniques to detect reachability to sensitive methods and taint analysis to detect if untrusted user-input can result in security violations. Challenges in using program analysis for detecting deserialisation vulnerabilities include addressing soundness issues in analysing dynamic features in Java (e.g., native code). Another hurdle is that available techniques mostly target the analysis of applications rather than library code. In this thesis, we develop techniques to address soundness issues related to analysing Java code that uses serialisation, and we adapt dynamic techniques such as fuzzing to address precision issues in the results of our analysis. We also use the results from our analysis to study libraries in other languages, and check if they are vulnerable to deserialisation-type attacks. We then provide a discussion on mitigation measures for engineers to protect their software against such vulnerabilities. In our experiments, we show that we can find unreported vulnerabilities in Java code; and how these vulnerabilities are also present in widely-used serialisers for popular languages such as JavaScript, PHP and Rust. In our study, we discovered previously unknown denial-of-service security bugs in applications/libraries that parse external data formats such as YAML, PDF and SVG

Fast scan, an improved approach using machine learning for vulnerability identification

Dissertação de mestrado integrado em Engenharia InformáticaThis document presents a Master Thesis in the Integrated Master’s in Informatics Engi neering focused on the automatic identification of vulnerabilities, that was accomplished at Universidade do Minho in Braga, Portugal. This thesis work aims at developing a machine learning based tool for automatic iden tification of vulnerabilities on programs (source, high level code), that uses an abstract syntax11tree representation. It is based on FastScan, using code2seq approach. Fastscan is a recently developed system aimed capable of detecting vulnerabilities in source code using machine learning techniques. Nevertheless, FastScan is not able of identifying the vulnerability type. In the presented work the main goal is to go further and develop a method to identify specific types of vulnerabilities. As will be shown, the goal will be achieved by changing the method of receiving and processing in a different way the input data and developing an architecture that brings together multiple models to predict different specific vulnerabilities. The best f1 metric obtained is 93% resulting in a precision of 90% and accuracy of 85%, according to the performed tests and regarding a trained model to predict vulnerabilities of the injection type. These results were obtained with the contribution given by the optimization of the model’s hyperparameters and also the use of the Search Cluster from University of Minho that greatly diminished the necessary time to perform training and testing. It is important to refer that overfitting was detected in the late stages of the tests, so this results do not represent the true value in real context. Also an interface is presented, it allows to better interact with the models and analyse the scan results.Este documento apresenta uma dissertação do Mestrado Integrado em Engenharia Infor mática, que tem como foco a automação da deteção de vulnerabilidades e foi concluída na Universidade do Minho em Braga, Portugal. O trabalho apresentado nesta tese pretende desenvolver uma ferramenta que utiliza machine learning e que seja capaz de identificar vulnerabilidades em código. Utilizando para isso a representação do mesmo numa abstract syntax tree. Tem como base FastScan que utiliza a abordagem do code2seq. Fastscan é um projeto recentemente desenvolvido que é capaz de detetar vulnerabilidades em código utilizando técnicas de machine learning, sendo que tem algumas lacunas como o facto de não ser capaz de identificar vulnerabilidades específicas. No trabalho apresentado o objetivo é ir mais além e desenvolver um método capaz de identificar qual o tipo específico de vulnerabilidade presente. Como será apresentado ao longo do documento, este objetivo será alcançado pela alteração do método de receção e processamento dos dados recebidos, assim como o desenvolvimento de uma arquitetura que junte os vários modelos de maneira a cooperarem e a ferramenta ser capaz de detetar e prever a presença de vulnerabilidades específicas. A melhor métrica de f1 obtida foi de 93%, com precisão de 90% e accuracy de 85%, de acordo com os testes efetuados sobre um modelo treinado para prever a presença de vulnerabilidades do tipo de injection. Os resultados foram obtidos devido à otimização dos hiper-parâmetros dos modelos e o cluster Search da Universidade do Minho diminuiu consideravelmente o tempo necessário para efetuar o traino e testes dos modelos. É importante referir que foi detetado overfitting na fase final do desenvolvimento deste trabalho, sendo que os resultados apresentados não representam o valor real dos modelos em contexto real. Para além disso é apresentada uma interface que permite interagir e analisar os resultados de um scan feito pelos modelos

Application to Security Testing

In a world where software gradually plays a key role daily, a failure may bring unpleasant consequences for its users. An example of a serious failure was the case Apple iCloud security exploit in 2014 where several private photos of celebrities have been accessed without permission[icl14a][icl14b]. Apart from economic and commercial implications, these faults lead to loss of trust in software by users, thus leading to the consequent search for an alternative and even result in leaving the old software for a new alternative. To address these shortcomings, the software industry started to use software testing to make sure that the software contains the minimum possible failures before is deployment. Software tests are used to analyse the program, namely to search some bugs. This analysis can be done without program execution (static analysis) or during execution (dynamic analysis). Static analysis tools can be used to check for potential execution of the program that have not been prematurely aborted due to unexpected event at runtime, not ensuring that the program will display the correct result. We studied some static analysis tools, JSFlow, JSPrime and TAJS, which analyse JavaScript code. These tools have been modified so they can be integrated into the Nibiru framework. Nibiru is a modular framework that aims to help in the implementation of software testing. It uses a micro-services architecture, enabling the use of multiple programming languages in his modules and has the ability to enable the implementation of its modules on multiple machines. So far the Nibiru has three operating modules and its ready to start growing with the community, so they can contribute in the construction of new modules or make small adjustments on the existing testing software to integrate the Nibiru framework.Num mundo onde cada vez mais o software tem um papel fundamental nas atividades do dia-a-dia, uma falha pode trazer consequências desagradáveis para os seus utilizadores. Como exemplo de uma falha grave, temos o caso Apple iCloud security exploit em 2014 [icl14a][icl14b], onde várias fotos de celebridades foram acedidas sem permissão. Para além de repercussões económicas e comerciais estas falhas levam à perca de confiança no software por parte dos utilizadores, levando assim à consequente procura de alternativas ao mesmo, podendo até resultar no abandono do software antigo. Para colmatar estas falhas, hoje em dia a indústria cada vez aposta mais nos testes de software para certificar-se que o software contém o mínimo de falhas possíveis antes de sair para o mercado. Os testes de software servem para analisar o programa, nomeadamente na obtenção de bugs. Esta análise pode ser feita sem execução do programa (análise estática) ou durante a sua execução (análise dinâmica). As ferramentas de análise estática são utilizadas para verificar se existem potenciais execuções do programa que possam falhar durante a sua execução devido a eventos inesperados, isto faz com que o programa apresente um resultado incorreto ou até mesmo bloqueie. Foram estudadas algumas ferramentas de análise estática, JSFlow, JSPrime e TAJS, que analisam código JavaScript. Estas ferramentas foram modificadas para serem integradas na framework Nibiru. O Nibiru é uma framework modular que tem como intuito ajudar na execução de testes de software. Esta utiliza uma arquitetura de micro-serviços, possibilitando o uso de múltiplas linguagens de programação nos seus módulos e tem a capacidade de possibilitar a execução dos seus módulos em várias máquinas. Até ao momento o Nibiru conta com três módulos operacionais, encontrando-se pronto para crescer com a comunidade informática, podendo esta contribuir na construção de novos módulos

PentestGPT: An LLM-empowered Automatic Penetration Testing Tool

Penetration testing, a crucial industrial practice for ensuring system security, has traditionally resisted automation due to the extensive expertise required by human professionals. Large Language Models (LLMs) have shown significant advancements in various domains, and their emergent abilities suggest their potential to revolutionize industries. In this research, we evaluate the performance of LLMs on real-world penetration testing tasks using a robust benchmark created from test machines with platforms. Our findings reveal that while LLMs demonstrate proficiency in specific sub-tasks within the penetration testing process, such as using testing tools, interpreting outputs, and proposing subsequent actions, they also encounter difficulties maintaining an integrated understanding of the overall testing scenario. In response to these insights, we introduce PentestGPT, an LLM-empowered automatic penetration testing tool that leverages the abundant domain knowledge inherent in LLMs. PentestGPT is meticulously designed with three self-interacting modules, each addressing individual sub-tasks of penetration testing, to mitigate the challenges related to context loss. Our evaluation shows that PentestGPT not only outperforms LLMs with a task-completion increase of 228.6\% compared to the \gptthree model among the benchmark targets but also proves effective in tackling real-world penetration testing challenges. Having been open-sourced on GitHub, PentestGPT has garnered over 4,700 stars and fostered active community engagement, attesting to its value and impact in both the academic and industrial spheres